<p>1</p><p>2XACML Data Loss Prevention / Network 3Access Control (DLP/NAC) Profile 4Version 1.0</p><p>5Committee Specification Draft 01 / 6Public Review Draft 01</p><p>702 October 2014</p><p>8Specification URIs 9This version: 10 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/csprd01/xacml-3.0-dlp-nac-v1.0- 11 csprd01.doc (Authoritative) 12 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/csprd01/xacml-3.0-dlp-nac-v1.0- 13 csprd01.html 14 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/csprd01/xacml-3.0-dlp-nac-v1.0- 15 csprd01.pdf 16Previous version: 17 N/A 18Latest version: 19 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.doc 20 (Authoritative) 21 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.html 22 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.pdf 23Technical Committee: 24 OASIS eXtensible Access Control Markup Language (XACML) TC 25Chairs: 26 Bill Parducci ([email protected]), Individual 27 Hal Lockhart ([email protected]), Oracle 28Editors: 29 John Tolbert ([email protected]), Queralt, Inc. 30 Richard Hill ([email protected]), The Boeing Company 31 Crystal Hayes ([email protected]), The Boeing Company 32 David Brossard ([email protected]), Axiomatics AB 33 Hal Lockhart ([email protected]), Oracle 34 Steven Legg ([email protected]), ViewDS 35Related work: 36 This specification is related to:</p><p>1xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 2Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 1 of 48 37  eXtensible Access Control Markup Language (XACML) Version 3.0. Edited by Erik Rissanen. 38 22 January 2013. OASIS Standard. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core- 39 spec-os-en.html. 40Abstract: 41 This specification defines a profile for the use of XACML in expressing policies for data loss 42 prevention and network access control tools and technologies. It defines standard attribute 43 identifiers useful in such policies, and recommends attribute value ranges for certain attributes. It 44 also defines several new functions for comparing IP addresses and DNS names, not provided in 45 the XACML 3.0 core specification. 46Status: 47 This document was last revised or approved by the OASIS eXtensible Access Control Markup 48 Language (XACML) TC on the above date. The level of approval is also listed above. Check the 49 “Latest version” location noted above for possible later revisions of this document. Any other 50 numbered Versions and other technical work produced by the Technical Committee (TC) are 51 listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#technical. 52 TC members should send comments on this specification to the TC’s email list. Others should 53 send comments to the TC’s public comment list, after subscribing to it by following the 54 instructions at the “Send A Comment” button on the TC’s web page at https://www.oasis- 55 open.org/committees/xacml/. 56 For information on whether any patents have been disclosed that may be essential to 57 implementing this specification, and any offers of patent licensing terms, please refer to the 58 Intellectual Property Rights section of the Technical Committee web page (https://www.oasis- 59 open.org/committees/xacml/ipr.php). 60Citation format: 61 When referencing this specification the following citation format should be used: 62 [xacml-dlp-nac-v1.0] 63 XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0. Edited 64 by John Tolbert, Richard Hill, Crystal Hayes, David Brossard, Hal Lockhart, and Steven Legg. 02 65 October 2014. OASIS Committee Specification Draft 01 / Public Review Draft 01. 66 http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/csprd01/xacml-3.0-dlp-nac-v1.0- 67 csprd01.html. Latest version: http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0- 68 dlp-nac-v1.0.html. 69</p><p>3xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 4Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 2 of 48 70Notices</p><p>71Copyright © OASIS Open 2014. All Rights Reserved. 72All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual 73Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website. 74This document and translations of it may be copied and furnished to others, and derivative works that 75comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, 76and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice 77and this section are included on all such copies and derivative works. However, this document itself may 78not be modified in any way, including by removing the copyright notice or references to OASIS, except as 79needed for the purpose of developing any document or deliverable produced by an OASIS Technical 80Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must 81be followed) or as required to translate it into languages other than English. 82The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors 83or assigns. 84This document and the information contained herein is provided on an "AS IS" basis and OASIS 85DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY 86WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY 87OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 88PARTICULAR PURPOSE. 89OASIS requests that any OASIS Party or any other party that believes it has patent claims that would 90necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, 91to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to 92such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that 93produced this specification. 94OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of 95any patent claims that would necessarily be infringed by implementations of this specification by a patent 96holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR 97Mode of the OASIS Technical Committee that produced this specification. OASIS may include such 98claims on its website, but disclaims any obligation to do so. 99OASIS takes no position regarding the validity or scope of any intellectual property or other rights that 100might be claimed to pertain to the implementation or use of the technology described in this document or 101the extent to which any license under such rights might or might not be available; neither does it represent 102that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to 103rights in any document or deliverable produced by an OASIS Technical Committee can be found on the 104OASIS website. Copies of claims of rights made available for publication and any assurances of licenses 105to be made available, or the result of an attempt made to obtain a general license or permission for the 106use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS 107Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any 108information or list of intellectual property rights will at any time be complete, or that any claims in such list 109are, in fact, Essential Claims. 110The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be 111used only to refer to the organization and its official outputs. OASIS welcomes reference to, and 112implementation and use of, specifications, while reserving the right to enforce its marks against 113misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above 114guidance. 115</p><p>5xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 6Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 3 of 48 116Table of Contents</p><p>1171 Introduction...... 6 118 1.1 Glossary...... 6 119 1.2 Terminology...... 7 120 1.3 Normative References...... 7 121 1.4 Non-Normative References...... 8 122 1.5 Scope...... 8 123 1.6 Use cases...... 8 124 1.6.1 Data Loss Prevention...... 8 125 1.6.2 Network Access Control...... 9 126 1.7 Disclaimer...... 9 1272 Profile...... 10 128 2.1 Network Datatypes...... 10 129 2.1.1 Portranges...... 10 130 2.1.2 IP Address Datatypes...... 10 131 2.1.3 IP Address Functions...... 11 132 2.1.4 DNS Name Datatypes...... 12 133 2.1.5 DNS Name Functions...... 12 134 2.2 Resource Attributes...... 13 135 2.2.1 Resource-id...... 13 136 2.2.2 Resource-location...... 13 137 2.3 Access Subject Attributes...... 14 138 2.3.1 Subject-ID...... 14 139 2.3.2 Subject-Security-Domain...... 14 140 2.3.3 Authentication-Time...... 14 141 2.3.4 Authentication-Method...... 14 142 2.3.5 Request-Time...... 14 143 2.3.6 IP Address...... 14 144 2.3.7 DNS Name...... 14 145 2.4 Recipient Subject Attributes...... 15 146 2.4.1 Subject-ID...... 15 147 2.4.2 Subject-Security-Domain...... 15 148 2.5 Requesting Machine Attributes...... 15 149 2.5.1 Subject-ID...... 15 150 2.6 Recipient Machine Attributes...... 15 151 2.6.1 Subject-ID...... 15 152 2.6.2 Removable-Media...... 16 153 2.7 Codebase Attributes...... 16 154 2.7.1 Authorized-Application...... 16 155 2.8 Action Attributes...... 16 156 2.8.1 Action-ID...... 16 157 2.8.2 Action-Protocol...... 16 158 2.8.3 Action-Method...... 17 159 2.9 Obligations...... 17</p><p>7xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 8Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 4 of 48 160 2.9.1 Encrypt...... 17 161 2.9.2 Log...... 18 162 2.9.3 Marking...... 18 1633 Identifiers...... 19 164 3.1 Profile Identifier...... 19 1654 Examples (non-normative)...... 20 166 4.1 DLP use cases...... 20 167 4.1.1 Prevent sensitive data from being read/modified by unauthorized users...... 20 168 4.1.2 Prevent sensitive data from being emailed to unauthorized users...... 22 169 4.1.3 Prevent sensitive data from being transferred via web-mail...... 25 170 4.1.4 Prevent sensitive data from being copied/printed from one computer to another...... 28 171 4.1.5 Prevent sensitive data from being transferred to removable media...... 31 172 4.1.6 Prevent sensitive data from being transferred to disallowed URLs...... 33 173 4.1.7 Prevent sensitive data from being copied from one resource to another...... 35 174 4.1.8 Prevent sensitive data from being read/modified by unauthorized applications...... 37 175 4.2 NAC use case examples...... 40 176 4.2.1 Prevent traffic flow between network resources, based on protocol...... 40 177 4.2.2 Restrict users to certain network resources, based on subject-id...... 41 1785 Conformance...... 43 179 5.1 IP Address and DNS Name Datatypes and Functions...... 43 180 5.2 Category Identifiers...... 43 181 5.3 Attribute Identifiers...... 44 182 5.4 Attribute Values...... 45 183Appendix A. Acknowledgments...... 46 184Appendix B. Revision History...... 47 185 186</p><p>9xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 10Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 5 of 48 1871 Introduction 188{Non-normative} 189This specification defines a profile for the use of the OASIS eXtensible Access Control Markup Language 190(XACML) [XACML3] to write and enforce policies to govern data loss prevention (DLP) tools and to 191provide access control for network resources. Use of this profile requires no changes or extensions to the 192[XACML3] standard. 193This specification begins with a non-normative discussion of the topics and terms of interest in this profile. 194The normative section of the specification describes the attributes defined by this profile and provides 195recommended usage patterns for attribute values. 196This specification assumes the reader is somewhat familiar with XACML. A brief overview sufficient to 197understand these examples is available in [XACMLIntro]. 198Enterprises have legal, regulatory, and business reasons to protect their information, as exemplified by, 199contracts, privacy, financial, and export regulations. Organizations interpret those legal agreements, 200regulations, and business rules to form security and information protection policies, expressed in natural 201languages. Business policies and regulations are then instantiated as machine-enforceable access 202control policies. Most organizations employ a variety of security software tools to enforce access control 203policies and monitor compliance. In many cases, each tool must be configured independently of the 204others, leading to duplicative efforts and increased risk of inconsistent implementations. 205XACML-conformant access control systems provide scalable and consistent access control policy 206management, enforcement, and compliance for web services, web applications, and data objects in a 207variety of repositories. The XACML policy format and reference architecture can be extended to promote 208policy consistency and efficient administration in the following areas. 209DLP tools monitor “data-in-use” at endpoints (e.g., desktops, laptops, and mobile devices), “data-in-motio 210n” on networks, and “data-at-rest” in storage systems. DLP tools enforce access control policies at these l 211ocations to prevent unauthorized access to and unintended disclosure of sensitive data. If DLP systems s 212tandardized on the XACML policy format, enterprise policy authorities could use the same language to def 213ine access control policies for endpoints, networks, servers, applications, web services, and file repositori 214es. The cost savings and improvements to security posture will be substantial. 215Network Access Control (NAC) technologies enforce access control policies to restrict and regulate 216network traffic between routers, switches, firewalls, Virtual Private Network (VPN) devices, servers, and 217endpoint devices. Resources are commonly identified by Media Access Control (MAC) addresses, 218Internet Protocol (IP) addresses, and Domain Name Service (DNS) names. Traffic flows between 219devices according to defined ports and protocols, which can be described, grouped, and used as 220attributes in access control policies. 221XACML policy format is suitable for and should be used to create, enforce, and exchange policies 222between different DLP and NAC systems. Subject information, including a rich set of metadata about 223subjects, will be expressed as subject attributes. Data objects and network resources will be expressed 224as resource attributes. Requests made by subjects and traffic operations will be expressed as action 225attributes. 226This profile serves as a framework of common data loss prevention and network resource attributes upon 227which access control policies can be written, and to promote federated authorization for access to data 228objects and network resources. This profile will also provide XACML software developers and access 229control policy authors guidance on supporting DLP and NAC use cases. 230</p><p>2311.1 Glossary 232Attribute Based Access Control (ABAC)</p><p>11xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 12Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 6 of 48 233 ABAC is an access control methodology wherein subjects are granted access to resources based 234 primarily upon attributes of the subjects, resources, actions, and environments identified in a 235 particular request context. Attributes are characteristics of the elements above, which may be 236 assigned by administrators and stored in Policy Information Points [XACML 3], or may be 237 ascertained by Policy Decision Points [XACML 3] at runtime. 238Data Loss Prevention (DLP) 239 DLP tools monitor “data-in-use” at endpoints (e.g., desktops, laptops, and mobile devices), “data- 240 in-motion” on networks, and “data-at-rest” in storage systems. DLP tools enforce access control 241 policies at these locations to prevent unauthorized access to and unintended disclosure of sensitive 242 data. 243Discretionary Access Control (DAC) 244 DAC is an access control methodology wherein subjects are granted access to resources based 245 primarily upon attributes of the subjects. Administrators can assign access permissions, 246 sometimes called entitlements, to groups, roles, and other attributes, which are then associated 247 with specific subjects. 248Mandatory Access Control (MAC) 249 MAC is an access control methodology wherein subjects obtain access to resources based on 250 the evaluation of subject, resource, action, and environment attributes. Access requests typically 251 include resource attributes such as visible labels and metadata tags, which convey information 252 about the sensitivity of the associated resource. 253Network Access Control (NAC) 254 NAC is an access control methodology wherein subjects obtain access to network-layer 255 resources (routers, switches, and endpoints) based on the evaluation of subject, resource, action, 256 and environment attributes. Subjects may include users and devices. Actions may include 257 commonly defined services and protocols as well as Transmission Control Protocol (TCP) and 258 User Datagram Protocol (UDP) ports. </p><p>2591.2 Terminology 260The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD 261NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described 262in [RFC2119].</p><p>2631.3 Normative References 264 [RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, 265 http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997. 266 [RFC 3986] T. Berners-Lee, Uniform Resource Identifier (URI): Generic Syntax, 267 http://www.rfc-editor.org/rfc/rfc3986.txt, IETF RFC 3986, January 2005 268 [XACML-IPC] OASIS Standard, eXtensible Access Control Markup Language 269 (XACML) Intellectual Property Controls (IPC) profile, Version 1.0, March 2013. 270 http://docs.oasis-open.org/xacml/3.0/ipc/v1.0/cs02/xacml-3.0-ipc-v1.0-cs02- 271 en.pdf 272 [XACML3] OASIS Standard, eXtensible Access Control Markup Language 273 (XACML) Version 3.0, April 2010. http://docs.oasis-open.org/xacml/3.0/xacml- 274 3.0-core-spec-en.doc 275 [XACML2] OASIS Standard, "eXtensible Access Control Markup Language (XACML) 276 Version 2.0", February 2005. http://docs.oasis- 277 open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf 278 [XACML1] OASIS Standard, "eXtensible Access Control Markup Language (XACML) 279 Version 1.0", February 2003. http://www.oasis- 280 open.org/committees/download.php/2406/oasis-xacml-1.0.pdf</p><p>13xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 14Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 7 of 48 281 [JSON] JSON Profile of XACML 3.0 Version 1.0. Edited by David Brossard. 15 May 282 2014. OASIS Committee Specification Draft 03 / Public Review Draft 03. 283 http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/csprd03/xacml-json-http- 284 v1.0-csprd03.html. Latest version: http://docs.oasis-open.org/xacml/xacml-json- 285 http/v1.0/xacml-json-http-v1.0.html. 286 287</p><p>2881.4 Non-Normative References 289 [XACMLIntro] OASIS XACML TC, A Brief Introduction to XACML, 14 March 2003, 290 http://www.oasis- 291 open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html 292 [ISO3166] ISO 3166 Maintenance agency (ISO 3166/MA), 293 http://www.iso.org/iso/country_codes.htm 294 [DublinCore] Dublin Core Metadata Element Set, version 1.1. 295 http://dublincore.org/documents/dces/</p><p>2961.5 Scope 297DLP and NAC tools are policy-driven enforcement systems. This profile defines standard XACML 298attributes for these DLP and NAC use cases, and recommends the adoption of standardized attribute 299values.</p><p>3001.6 Use cases</p><p>3011.6.1 Data Loss Prevention</p><p>3021.6.1.1 Prevent sensitive data from being read/modified by unauthorized users 303This generic use case encompasses many permutations of these attributes. Consider the nearly 304ubiquitous case where an administrator needs to limit the actions of users to certain groups for each 305action type. For example, Group 1 should be able to create data objects in the target location; group 2 306should be able to edit data objects in the target location; groups 1, 2, and 3 should be able to read the 307contents without being able to edit them; and groups 1 and 4 should be able to delete the data objects. 308These policies must be enforceable on a plethora of computing and network devices with diverse 309operating systems.</p><p>3101.6.1.2 Prevent sensitive data from being emailed to unauthorized users 311Email systems are often the vector through which sensitive data escapes, both intentionally and 312unintentionally, without authorization. To prevent data loss, security administrators must be able to define 313and enforce policies that limit which subjects may email certain types of resources to specific recipient 314subjects. For example, a policy may prohibit sending proprietary information to recipients who are not 315licensed to have it [XACML-IPC]. These policies may be enforced on the email client and/or the email 316gateway servers.</p><p>3171.6.1.3 Prevent sensitive data from being transferred via web-mail 318Security administrators need to be able to prohibit subjects from transferring sensitive data resources via 319web-mail systems. These policies may be enforced on endpoint devices such as desktops, laptops, and 320mobile devices, and on web proxy computers and appliances.</p><p>15xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 16Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 8 of 48 3211.6.1.4 Prevent sensitive data from being copied/printed from one computer to 322 another 323Security administrators need to be able to ensure data containment, i.e., certain data objects must not be 324copied or transferred outside of special or high-security computing and network environments. These 325policies may be enforced on endpoint devices (such as desktops, laptops, and mobile devices), servers, 326printers, network devices, and firewalls. </p><p>3271.6.1.5 Prevent sensitive data from being transferred to removable media 328Removable media is another common vector for data loss. Security administrators must be able to 329enforce policies to prohibit subjects from transferring specific resources to removable media devices. 330These policies will be enforced on endpoint devices and servers. </p><p>3311.6.1.6 Prevent sensitive data from being transferred to disallowed URLs 332Data exfiltration may occur via standard web protocols such as HTTP and HTTPS. Security 333administrators need to be able to prohibit subjects from transferring specific resources via HTTP(S) 334outside the local domain or to certain disallowed URLs. These policies may be enforced at endpoint 335devices as well as firewalls, network devices, web proxies, and web portals.</p><p>3361.6.1.7 Prevent sensitive data from being copied from one resource to another 337Sensitive data may not be copied from a specific resource or location to another. This prevents malicious 338actors from copying data into new files or databases to evade security controls.</p><p>3391.6.1.8 Prevent sensitive data from being read/modified by unauthorized 340 applications 341Policies may stipulate which applications can read or modify resources to prevent insecure applications or 342malware-compromised applications from contaminating or exfiltrating sensitive data. This use case 343assumes that the Policy Decision Point (PDP) can call an external configuration management database to 344determine if the application is on the approved list.</p><p>3451.6.2 Network Access Control</p><p>3461.6.2.1 Prevent traffic flow between network resources, based on protocol 347Network devices that control the flow of network traffic (e.g. firewall) may need to restrict network traffic 348based on policy regarding the type of protocols allowed. For example, a policy may disallow transfer of 349resources using unsecured protocols such as ftp, but will allow the more secure SFTP protocol.</p><p>3501.6.2.2 Restrict users to certain network resources, based on subject attributes 351Network devices that control access to network resources (e.g. VPN) may restrict an authenticated user’s 352access to certain subnets, such as secure access zones or enclaves, based on policy regarding the type 353of subject attributes. </p><p>3541.7 Disclaimer</p><p>17xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 18Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 9 of 48 3552 Profile</p><p>3562.1 Network Datatypes 357This section defines several datatypes and functions related to determining network location using either 358IP Address or DNS name. Network locations are used as both Resource and Subject Attributes as 359described in the sections below.</p><p>3602.1.1 Portranges 361Both IP Address types and DNS Name types MAY include a port range list. An IP port is a 16 bit number 362expressed in decimal. Port 0 is not used. Thus valid values for a portnumber range from 1 to 65536. The 363syntax SHALL be: 364portrange = portnumber | "-"portnumber | portnumber"-"[portnumber] 365portrangelist = portrange [“,” portrange] 366where "portnumber" is a decimal port number. When two port numbers are given in a range, the first must 367be lower than the second. The port range includes the given ports. If the port range is of the form "-x", 368where "x" is a port number, then the range is all ports numbered "x" and below. If the port range is of the 369form "x-", then the range is all ports numbered "x" and above. 370Port range is the same as defined in A.2 of [XACML3]. Port range list allows multiple non contiguous 371ranges to be specified. The port ranges in a given port range list MAY appear in any order and MAY 372overlap. The port range list indicates all the ports in any of the ranges.</p><p>3732.1.2 IP Address Datatypes 374The “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value” primitive type represents an IPv4 or IPv6 375network address value, with optional port. The syntax SHALL be: 376ipAddress-value = ipAddress [ ":" port ] 377For an IPv4 address or IPv6 address, the address is formatted in accordance with the syntax for a "host" 378in [RFC 3986], section 3.2.2. (Note that an IPv6 address, in this syntax, is enclosed in literal "[" "]" 379brackets.) The subnet mask SHALL be omitted. 380The “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern” primitive type represents an IPv4 or IPv6 381network address pattern, with optional portrange list. 382The syntax SHALL be: 383ipAddressrange = ipAddress | "-" ipAddress | ipAddress "-"[ ipAddress ] 384ipAddressrangelist = ipAddressrange [“,”ipAddressrange ] 385ipAddress-pattern = ipAddressrangelist [ ":" portrangelist ] 386 387The subnet mask SHALL be omitted. When two IP addresses are given in a range, the first must be lower 388than the second. The IP address range includes the given IP addresses. If the IP address range is of the 389form "-x", where "x" is an IP address, then the range is all IP addresses numbered "x" and below. If the 390IP address range is of the form "x-", then the range is all IP addresses numbered "x" and above. IP 391address range list allows multiple non contiguous ranges to be specified. The IP address ranges in a 392given IP address range list MAY appear in any order and MAY overlap. The IP address range list 393indicates all the IP addresses in any of the ranges. 394 395Note that any string which is a valid IP Address value is by definition a valid IP Address pattern.</p><p>19xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 20Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 10 of 48 396 397Examples 398 Valid ipAddress-values 399 192.168.1.2 400 101.86.23.0:443 401 [602:ea8:85a3:8d3:223:8a2e:370:ff04] 402 [602:ea8:85a3::370:ff04] 403 [2001:db8:85a3:8d3:1319:8a2e:370:7348]:80 404 405 Invalid ipAddress-values 406 192.168.1.556 // value too large 407 101.12.2.1-101.12.2.127 // ip address range not allowed 408 192.168.54.3/16 // mask not allowed 409 101.86.23.0:443-1024 // port range not allowed 410 [602:ea8:85a3:8d3:223:8a2e:cex:ff04] // value not hexadecimal 411 [602:ea8::85a3::370:ff04] // multiple :: 412 [2001:db8:85a3:8d3:1319:8a2e:370:7348]:80-200 // port range not allowed 413 414 415 Valid ipAddress-patterns 416 192.168.1.2-192.168.1.125 417 101.86.23.0-101.86.100.255, 101.20.1.1-101.86.50.255:443 418 [602:ea8:85a3:8d3:223:8a2e:370:ff04]:1-1023 419 [602:ea8:85a3::370:1]-[602:ea8:85a3::370:ff04]:80 420 421 Invalid ipAddress-patterns 422 192.168.5.2-192.168.1.125 // range not low to high 423 [602:ea8:85a3:8d3:223:8a2e:370:ff04]:1-90000 // port out of range 424 425</p><p>4262.1.3 IP Address Functions 427The following functions are matching functions for the IP Address datatypes. 428 urn:oasis:names:tc:xacml:3.0:function:ipAddress-match 429 This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data- 430 type:ipAddress-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data- 431 type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 432 function SHALL return "True" if and only if the following conditions are met. 433  The first and second arguments SHALL both be of the same IP version (4 or 6). 434  The value of the second argument SHALL be identical to one of the values in the IP address 435 range list of the first argument. 436  Any port or port range values in either argument SHALL be ignored.</p><p>21xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 22Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 11 of 48 437 Otherwise, it SHALL return “False”. 438 439 urn:oasis:names:tc:xacml:3.0:function:ipAddress-endpoint-match 440 This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data- 441 type:ipAddress-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data- 442 type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 443 function SHALL return "True" if and only if the following conditions are met. 444  The first and second arguments SHALL both be of the same IP version (4 or 6). 445  The value of the second argument SHALL be identical to one of the values in the IP address 446 range list of the first argument. 447  The first argument SHALL contain a port range list and the second SHALL contain a port 448 value which is included in the port range list of the first. 449 Otherwise, it SHALL return “False”. 450 451 urn:oasis:names:tc:xacml:3.0:function:ipAddress-value-equal 452 This function SHALL take two arguments of data-type “urn:oasis:names:tc:xacml:3.0:data- 453 type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 454 function SHALL return "True" if and only if the following conditions are met. 455  The first and second arguments SHALL both be of the same IP version (4 or 6). 456  The value of the first argument SHALL have a value identical to the second argument. 457  Any port value in either argument SHALL be ignored. 458 Otherwise, it SHALL return “False”.</p><p>4592.1.4 DNS Name Datatypes 460The “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value” primitive type represents a Domain Name 461Service (DNS) host name, with optional port. The syntax SHALL be: 462dnsName-value = hostname [ ":" port ] 463The hostname is formatted in accordance with [RFC 3986], section 3.2.2. 464 465The “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern” primitive type represents a Domain Name 466Service (DNS) host name, with optional portrange list. The syntax SHALL be: 467dnsName-pattern = hostname [ ":" portrangelist ] 468The hostname is formatted in accordance with [RFC 3986], section 3.2.2, except that a wildcard "*" may 469be used in the left-most component of the hostname to indicate "any subdomain" under the domain 470specified to its right.</p><p>4712.1.5 DNS Name Functions 472The following functions are matching functions for the DNS Name datatypes. 473 urn:oasis:names:tc:xacml:3.0:function:dnsName-match 474 This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data- 475 type:dnsName-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data- 476 type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 477 function SHALL return "True" if and only if the following conditions are met. 478  The number of name components in the second argument SHALL be the same as the 479 number in the first argument and each component in the second argument SHALL be 480 identical to the corresponding component in the first argument, except that if the leftmost 23xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 24Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 12 of 48 481 component in the first argument has the value “*” it SHALL be deemed to match any value in 482 the corresponding component of the second argument. (Any port or port range values in 483 either argument SHALL be ignored.) 484 Otherwise, it SHALL return “False”. 485 486 urn:oasis:names:tc:xacml:3.0:function:dnsName-endpoint-match 487 This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data- 488 type:dnsName-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data- 489 type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 490 function SHALL return "True" if and only if the following conditions are met. 491  The number of name components in the second argument SHALL be the same as the 492 number in the first argument and each component in the second argument SHALL be 493 identical to the corresponding component in the first argument, except that if the leftmost 494 component in the first argument has the value “*” it SHALL be deemed to match any value in 495 the corresponding component of the second argument. 496  The first argument SHALL contain a port range list and the second SHALL contain a port 497 value which is included in the port range list of the first. 498 Otherwise, it SHALL return “False”. 499 500 urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal 501 This function SHALL take two arguments of data-type “urn:oasis:names:tc:xacml:3.0:data- 502 type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The 503 function SHALL return "True" if and only if the following conditions are met. 504  The number of name components in the second argument SHALL be the same as the 505 number in the first argument and each component in the second argument SHALL be 506 identical to the corresponding component in the first argument. (Any port values in either 507 argument SHALL be ignored.) 508 Otherwise, it SHALL return “False”. 509</p><p>5102.2 Resource Attributes 511The following Resource Attributes defined in section 10.2.6 of [XACML3] facilitate the description of DLP 512and NAC objects for the purpose of creating access control policies.</p><p>5132.2.1 Resource-id 514The Resource-id value shall be designated with the following attribute identifier: 515 urn:oasis:names:tc:xacml:1.0:resource:resource-id 516The DataType of this attribute is http://www.w3.org/2001/XMLSchema#anyURI. This attribute 517denotes the uniform resource identifier of the requested resource. </p><p>5182.2.2 Resource-location 519The Resource-location value shall be designated with the following attribute identifier: 520 urn:oasis:names:tc:xacml:1.0:resource:resource-location 521Allowable DataTypes for this attribute are: http://www.w3.org/2001/XMLSchema#anyURI, 522urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value, 523urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value, and 524urn:ogc:def:dataType:geoxacml:1.0:geometry. This attribute denotes the logical and/or 525physical location of the requested resource.</p><p>25xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 26Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 13 of 48 5262.3 Access Subject Attributes 527The attributes in this section appear in conjunction with the access subject category [XACML3]. 528 urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</p><p>5292.3.1 Subject-ID 530This is the identifier for the subject issuing the request, which may include user identifiers, machine 531identifiers, and/or application identifiers. 532Subject-ID classification values shall be designated with the following attribute identifier: 533 urn:oasis:names:tc:xacml:1.0:subject:subject-id 534The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. </p><p>5352.3.2 Subject-Security-Domain 536This identifier indicates the security domain of the access subject. It identifies the administrator and 537policy that manages the name-space in which the subject id is administered. 538Subject-Security-Domain classification values shall be designated with the following attribute identifier: 539 urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain 540The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.</p><p>5412.3.3 Authentication-Time 542This identifier indicates the time at which the subject was authenticated. Authentication-Time 543classification values shall be designated with the following attribute identifier. 544 urn:oasis:names:tc:xacml:1.0:subject:authentication-time 545The DataType of this attribute is http://www.w3.org/2001/XMLSchema#dateTime. </p><p>5462.3.4 Authentication-Method 547This identifier indicates the method used to authenticate the subject. Authentication-Method 548classification values shall be designated with the following attribute identifier: 549 urn:oasis:names:tc:xacml:1.0:subject:authentication-method 550The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. </p><p>5512.3.5 Request-Time 552This identifier indicates the time at which the subject initiated the access request, according to the PEP. 553Request-Time classification values shall be designated with the following attribute identifier: 554 urn:oasis:names:tc:xacml:1.0:subject:request-time 555The DataType of this attribute is http://www.w3.org/2001/XMLSchema#dateTime. </p><p>5562.3.6 IP Address 557This identifier indicates the location where authentication credentials were activated, expressed as an IP 558Address: 559 urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address 560The DataType of this attribute is urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value.</p><p>5612.3.7 DNS Name 562This identifier indicates that the subject location is expressed as a DNS name. </p><p>27xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 28Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 14 of 48 563urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name 564The DataType of this attribute is urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value.</p><p>5652.4 Recipient Subject Attributes 566The attributes in this section appear in conjunction with the recipient subject category [XACML3]: 567 urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject</p><p>5682.4.1 Subject-ID 569This identifier indicates the entity that will receive the results of the request, which may include user 570identifiers, machine identifiers, and/or application identifiers. 571Subject-ID classification values shall be designated with the following attribute identifier: 572 urn:oasis:names:tc:xacml:1.0:subject:subject-id 573The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.</p><p>5742.4.2 Subject-Security-Domain 575This identifier indicates the security domain of the recipient subject. It identifies the administrator and 576policy that manages the name-space in which the recipient-subject id is administered. 577Subject-Security-Domain classification values shall be designated with the following attribute identifier: 578 urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain 579The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.</p><p>5802.5 Requesting Machine Attributes 581The attributes in this section appear in conjunction with the requesting machine category [XACML3]. 582 urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine</p><p>5832.5.1 Subject-ID 584This identifier indicates the address of the machine from which the access request originated. 585Requesting-machine classification values shall be designated with the following attribute identifier. 586 urn:oasis:names:tc:xacml:1.0:subject:subject-id 587The following DataTypes can be used with this attribute: urn:oasis:names:tc:xacml:3.0:data- 588type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value. For Media Access 589Control (MAC) addresses, use http://www.w3.org/2001/XMLSchema#string.</p><p>5902.6 Recipient Machine Attributes 591The following identifier is defined to indicate the machine to which access is intended to be granted. 592 urn:oasis:names:tc:xacml:3.0:subject-category:recipient-machine 593The shorthand notation for this category in the JSON representation [XACML3] is RecipientMachine.</p><p>5942.6.1 Subject-ID 595This identifier indicates the address of the machine(s) to which the access will be granted. Recipient 596machine classification values shall be designated with the following attribute identifier. 597 urn:oasis:names:tc:xacml:1.0:subject:subject-id 598The following DataTypes can be used with this attribute: urn:oasis:names:tc:xacml:3.0:data- 599type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value. The attribute value 600may include full paths including volume names, where applicable. For Media Access Control (MAC) </p><p>29xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 30Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 15 of 48 601addresses, use http://www.w3.org/2001/XMLSchema#string. The attribute may take multiple 602values.</p><p>6032.6.2 Removable-Media 604This identifier indicates whether or not the destination of the action is a removable media device. 605Removable media classification values shall be designated with the following attribute identifier. 606 urn:oasis:names:tc:xacml:3.0:subject:removable-media 607The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean.</p><p>6082.7 Codebase Attributes</p><p>6092.7.1 Authorized-Application 610This identifier indicates whether or not the requesting application is approved for the actions requested. 611 urn:oasis:names:tc:xacml:3.0:codebase:authorized-application 612The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean. </p><p>6132.8 Action Attributes 614In order to create fine-grained access control rules and policies, specific action attributes must be defined. 615Action attributes will be grouped according to type of action. </p><p>6162.8.1 Action-ID 617The following action attribute values correspond to the action-id identifier: 618 urn:oasis:names:tc:xacml:1.0:action:action-id 619The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean. 620The following action-id attributes are defined. 621 urn:oasis:names:tc:xacml:1.0:action:action-id:create 622 urn:oasis:names:tc:xacml:1.0:action:action-id:read 623 urn:oasis:names:tc:xacml:1.0:action:action-id:update 624 urn:oasis:names:tc:xacml:1.0:action:action-id:delete 625 urn:oasis:names:tc:xacml:1.0:action:action-id:copy 626 urn:oasis:names:tc:xacml:1.0:action:action-id:print 627 urn:oasis:names:tc:xacml:1.0:action:action-id:email-send 628Additional action-IDs can be defined as needed. </p><p>6292.8.2 Action-Protocol 630For both DLP and NAC purposes, standard protocols must be available for policy authors to use. 631The following action attribute values correspond to the action-protocol identifier: 632 urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol 633The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. 634The list below contains a number of common protocols which can be used to construct DLP and NAC 635policies. The list is not comprehensive, and may be extended as need by implementers. SMTP FTP</p><p>31xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 32Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 16 of 48 SFTP IMAP POP RPC HTTP HTTPS LDAP TCP (ports can be specified as TCP:81, TCP:100- 120, etc.) UDP (ports can be specified as UDP:54, UDP:100- 120)</p><p>6362.8.3 Action-Method 637The following action attribute values correspond to the action-protocol identifier: 638 urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-method 639The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. 640The list below contains a number of action-methods which can be used to construct DLP and NAC 641policies. The list is based on HTTP as an example, and is not comprehensive. Additional methods may 642be created as needed by implementers. GET PUT POST HEAD DELETE OPTIONS</p><p>643</p><p>6442.9 Obligations 645The <Obligation> element will be used in the XACML response to notify requestor that additional 646processing requirements are needed. This profile focuses on the use of obligations to encryption and 647visual marking. The XACML response may contains one or more obligations. Processing of an obligation 648is application specific. An <Obligation> may contain the object (resource) action pairing information. If 649multiple vocabularies are used for resource definitions the origin of the vocabulary MUST be identified. 650The obligation should conform to following structure: 651 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation</p><p>6522.9.1 Encrypt 653The Encrypt obligation shall be designated with the following identifier: 654 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt</p><p>33xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 34Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 17 of 48 655The encrypt obligation can be used to command PEPs (Policy Enforcement Points) to encrypt the 656resource. This profile does not specify the type of encryption or other parameters to be used; rather, the 657details of implementation are left to the discretion of policy authors and software developers as to how to 658best meet their individual requirements. 659 660The following is an example of the Encrypt obligation: 661 <ObligationExpressions> 662 <ObligationExpression 663 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt" 664 FulfillOn="Permit"/> 665 </ObligationExpression> 666 </ObligationExpressions></p><p>6672.9.2 Log 668The Log obligation shall be designated with the following identifier: 669 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log 670The log obligation can be used to command PEPs to make an electronic record of the access request and 671result. Examples of log types are syslog, application logs, operating system logs, etc. Policy authors can 672use this obligation to meet legal, contractual, or organizational policy requirements by forcing PEPs to 673record the request and response. Policy authors may find that logging both <Permit> and <Deny> 674decisions may be advantageous depending on the business or legal requirements. This profile does not 675specify the content that should be written to the log. 676 677The following is an example of the Log obligation: 678 <ObligationExpressions> 679 <ObligationExpression 680 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log" 681 FulfillOn="Permit"/> 682 </ObligationExpression> 683 </ObligationExpressions></p><p>6842.9.3 Marking 685Marking classification values shall be designated with the following identifier: 686 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking 687The marking obligation can be used to command PEPs to embed visual marks, sometimes called 688watermarks, on data viewed both on-screen and in printed form. Policy authors may use this obligation to 689meet legal or contractual requirements by forcing PEPs to display text or graphics in accordance with 690<Permit> decisions. This profile does not specify the text or graphics which can be rendered; rather, the 691details of implementation are left to the discretion of policy authors as to how to best meet their individual 692requirements. 693 694The following is an example of the marking obligation: 695 <ObligationExpressions> 696 <ObligationExpression 697 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking" 698 FulfillOn="Permit"> 699 <AttributeAssignmentExpression 700 AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text"> 701 <AttributeValue 702 DataType="http://www.w3.org/2001/XMLSchema#string" 703 >Copyright 2011 Acme</AttributeValue> 704 </AttributeAssignmentExpression> 705 </ObligationExpression> 706 </ObligationExpressions> 35xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 36Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 18 of 48 7073 Identifiers 708This profile defines the following URN identifiers.</p><p>7093.1 Profile Identifier 710The following identifier SHALL be used as the identifier for this profile when an identifier in the form of a 711URI is required. 712 urn:oasis:names:tc:xacml:3.0:dlp-nac</p><p>37xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 38Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 19 of 48 7134 Examples (non-normative) 714This section contains examples of how the profile attributes can be used. </p><p>7154.1 DLP use cases</p><p>7164.1.1 Prevent sensitive data from being read/modified by unauthorized 717 users 718 This example illustrates the above use case with the following scenario: 719 Acme security policy restricts the ability to read and modify certain documents on a “need-to-know” 720 basis, according to the mandatory access control model. Subjects with appropriate attributes, 721 which may include roles, group memberships, etc., will succeed in accessing these documents, 722 while those without the requisite attribute values will fail. 723 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 724 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 725 Requesting Machine Attributes Values Subject-ID alice-laptop.acme.com 726 Action Attributes Values Action-ID Read, Update</p><p>7274.1.1.1 Description 728 This sample policy can be summarized as follows: 729 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 730 731 Rule: This rule is only applicable if Resource-ID contains “confidential.acme.com” 732 Then if 733 Access-Subject.Subject-Security-Domain = “acme.com” 734 Requesting-machine.Subject-ID matches “*.acme.com” AND 735 Action-ID = “Read” OR “Update” THEN 736 PERMIT 737 738 Obligation: 739 On PERMIT mark AND encrypt the resource 39xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 40Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 20 of 48 7404.1.1.2 Sample Implementation in XACML 3.0 741 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 742 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase411" 743 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 744 applicable" 745 Version="1.0"> 746 <Description>4.1.1 Prevent sensitive data from being read/modified by unauthorized 747 users</Description> 748 <Target> 749 <AnyOf> 750 <AllOf> 751 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal"> 752 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 753 >webserver1.acme.com</AttributeValue> 754 <AttributeDesignator 755 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 756 DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 757 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 758 MustBePresent="false"/> 759 </Match> 760 </AllOf> 761 </AnyOf> 762 </Target> 763 <Rule 764 Effect="Permit" 765 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase411.confidentialAcme"> 766 <Target> 767 <AnyOf> 768 <AllOf> 769 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains"> 770 <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string 771 >confidential.acme.com</AttributeValue> 772 <AttributeDesignator 773 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 774 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 775 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 776 MustBePresent="false"/> 777 </Match> 778 </AllOf> 779 </AnyOf> 780 <AnyOf> 781 <AllOf> 782 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 783 <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string 784 >acme.com</AttributeValue> 785 <AttributeDesignator 786 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain" 787 DataType="http://www.w3.org/2001/XMLSchema#string" 788 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 789 MustBePresent="false"/> 790 </Match> 791 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-match"> 792 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:dnsName-pattern" 793 >*.acme.com</AttributeValue> 794 <AttributeDesignator 795 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 796 DataType="urn:oasis:names:tc:xacml:2.0:data-type:dnsName-value" 797 Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine" 798 MustBePresent="false"/> 799 </Match> 800 </AllOf> 801 </AnyOf> 802 <AnyOf> 803 <AllOf> 804 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 805 <AttributeValue 806 DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 807 <AttributeDesignator 808 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 809 DataType="http://www.w3.org/2001/XMLSchema#string" 810 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"</p><p>41xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 42Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 21 of 48 811 MustBePresent="false"/> 812 </Match> 813 </AllOf> 814 <AllOf> 815 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 816 <AttributeValue 817 DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue> 818 <AttributeDesignator 819 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 820 DataType="http://www.w3.org/2001/XMLSchema#string" 821 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 822 MustBePresent="false"/> 823 </Match> 824 </AllOf> 825 </AnyOf> 826 </Target> 827 <ObligationExpressions> 828 <ObligationExpression 829 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking" 830 FulfillOn="Permit"> 831 <AttributeAssignmentExpression 832 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 833 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 834 <AttributeDesignator 835 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 836 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 837 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 838 MustBePresent="false"/> 839 </AttributeAssignmentExpression> 840 </ObligationExpression> 841 <ObligationExpression 842 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt" 843 FulfillOn="Permit"> 844 <AttributeAssignmentExpression 845 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 846 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 847 <AttributeDesignator 848 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 849 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 850 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 851 MustBePresent="false"/> 852 </AttributeAssignmentExpression> 853 </ObligationExpression> 854 </ObligationExpressions> 855 </Rule> 856 </Policy> 857</p><p>8584.1.2 Prevent sensitive data from being emailed to unauthorized users 859 Acme security policy prohibits sending confidential information to users outside the acme.com 860 domain. Alice attempts to send a document to Bob at Wileycorp.com. The request fails. Sample 861 attributes and values are listed below. 862 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 863 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 864</p><p>43xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 44Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 22 of 48 Recipient Subject Attributes Values Subject-ID [email protected] Subject-Security-Domain Wileycorp.com 865 Requesting Machine Attributes Values Subject-ID alice-repository.acme.com 866 Action Attributes Values Action-ID Email-send</p><p>8674.1.2.1 Description 868 This sample policy can be summarized as follows: 869 870 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 871 AND Resource-ID contains “confidential.acme.com” 872 873 Rule: This rule is only applicable if Action-ID = “Email-send” 874 Then if 875 Access-Subject.Subject-Security-Domain = “acme.com” AND 876 Recipient-Subject.Subject-ID contains “@[Aa][Cc][Mm][Ee]\.[Cc][Oo][Mm]” AND 877 Recipient-Subject.Subject-Security-Domain = “acme.com” AND 878 Requesting-machine.Subject-ID matches “*.acme.com” THEN 879 PERMIT 880 881 Obligation: 882 On PERMIT mark AND encrypt the resource</p><p>8834.1.2.2 Sample Implementation in XACML 3.0 884 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 885 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase412" 886 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 887 applicable" 888 Version="1.0"> 889 <Description>4.1.2 Prevent sensitive data from being emailed to unauthorized 890 users</Description> 891 <Target> 892 <AnyOf> 893 <AllOf> 894 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal"> 895 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 896 >webserver1.acme.com</AttributeValue> 897 <AttributeDesignator 898 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 899 DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 900 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 901 MustBePresent="false"/> 902 </Match> 903 </AllOf> 904 </AnyOf> 905 <AnyOf> 906 <AllOf> 45xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 46Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 23 of 48 907 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains"> 908 <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string 909 >confidential.acme.com</AttributeValue> 910 <AttributeDesignator 911 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 912 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 913 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 914 MustBePresent="false"/> 915 </Match> 916 </AllOf> 917 </AnyOf> 918 </Target> 919 <Rule 920 Effect="Permit" 921 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase412.sendEmail"> 922 <Description>This rule is only applicable if Action-ID = "Email-send"</Description> 923 <Target> 924 <AnyOf> 925 <AllOf> 926 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 927 <AttributeValue 928 DataType="http://www.w3.org/2001/XMLSchema#string">Email-send</AttributeValue> 929 <AttributeDesignator 930 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 931 DataType="http://www.w3.org/2001/XMLSchema#string" 932 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 933 MustBePresent="false" 934 /> 935 </Match> 936 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 937 <AttributeValue 938 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 939 <AttributeDesignator 940 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain" 941 DataType="http://www.w3.org/2001/XMLSchema#string" 942 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 943 MustBePresent="false" 944 /> 945 </Match> 946 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match"> 947 <AttributeValue 948 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 949 <AttributeDesignator 950 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 951 DataType="urn:oasis:names:tc:xacml:1.0:rfc822Name" 952 Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject" 953 MustBePresent="false" 954 /> 955 </Match> 956 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 957 <AttributeValue 958 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 959 <AttributeDesignator 960 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain" 961 DataType="http://www.w3.org/2001/XMLSchema#string" 962 Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject" 963 MustBePresent="false" 964 /> 965 </Match> 966 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-match"> 967 <AttributeValue 968 DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern" 969 >*.acme.com</AttributeValue> 970 <AttributeDesignator 971 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 972 DataType="urn:oasis:names:tc:xacml:2.0:data-type:dnsName-value" 973 Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine" 974 MustBePresent="false" 975 /> 976 </Match> 977 978</p><p>47xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 48Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 24 of 48 979 </AllOf> 980 </AnyOf> 981 </Target> 982 <ObligationExpressions> 983 <ObligationExpression 984 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking" 985 FulfillOn="Permit"> 986 <AttributeAssignmentExpression 987 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 988 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 989 <AttributeDesignator 990 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 991 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 992 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 993 MustBePresent="false" 994 /> 995 </AttributeAssignmentExpression> 996 </ObligationExpression> 997 <ObligationExpression 998 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt" 999 FulfillOn="Permit"> 1000 <AttributeAssignmentExpression 1001 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1002 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 1003 <AttributeDesignator 1004 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1005 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1006 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1007 MustBePresent="false" 1008 /> 1009 </AttributeAssignmentExpression> 1010 </ObligationExpression> 1011 </ObligationExpressions> 1012 </Rule> 1013 </Policy> 1014</p><p>10154.1.3 Prevent sensitive data from being transferred via web-mail 1016 Acme security policy prohibits sending proprietary information to personal web-mail accounts. 1017 Alice attempts to send a document to her account at big-email-service.com so that she can work on 1018 it after-hours. The request fails. Sample attributes and values are listed below. 1019 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 1020 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1021 Recipient Subject Attributes Values Subject-ID [email protected] Subject-Security-Domain big-email.service.com 1022 Requesting Machine Attributes Values Subject-ID alice-repository.acme.com 1023 49xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 50Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 25 of 48 Action Attributes Values Action-Protocol HTTP(S)</p><p>10244.1.3.1 Description 1025 This sample policy can be summarized as follows: 1026 1027 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 1028 AND Resource-ID contains “confidential.acme.com” 1029 1030 Rule: This rule is only applicable if Action-Protocol contains “HTTP” 1031 Then if 1032 Access-Subject.Subject-Security-Domain = “acme.com” AND 1033 Recipient-Subject.Subject-ID contains @[Aa][Cc][Mm][Ee]\.[Cc][Oo][Mm]” AND 1034 Recipient-Subject.Subject-Security-Domain = “acme.com” AND 1035 Requesting-Machine.Subject-ID matches “*.acme.com” THEN 1036 PERMIT 1037 1038 Obligation: 1039 On PERMIT mark AND encrypt the resource.</p><p>10404.1.3.2 Sample Implementation in XACML 3.0 1041 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 1042 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase413" 1043 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 1044 applicable" 1045 Version="1.0"> 1046 <Description>4.1.3 Prevent sensitive data from being transferred via web- 1047 mail</Description> 1048 <Target> 1049 <AnyOf> 1050 <AllOf> 1051 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal"> 1052 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1053 >webserver1.acme.com</AttributeValue> 1054 <AttributeDesignator 1055 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 1056 DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1057 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1058 MustBePresent="false"/> 1059 </Match> 1060 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains"> 1061 <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string 1062 >confidential.acme.com</AttributeValue> 1063 <AttributeDesignator 1064 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1065 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1066 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1067 MustBePresent="false" 1068 /> 1069 </Match> 1070 </AllOf> 1071 </AnyOf> 1072 </Target> 1073 <Rule 1074 Effect="Permit" 1075 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase413.allowHTTP"></p><p>51xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 52Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 26 of 48 1076 <Description>This rule is only applicable if Action-Protocol contains 1077 "HTTP"</Description> 1078 <Target> 1079 <AnyOf> 1080 <AllOf> 1081 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-contains"> 1082 <AttributeValue 1083 DataType="http://www.w3.org/2001/XMLSchema#string">HTTP</AttributeValue> 1084 <AttributeDesignator 1085 AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol" 1086 DataType="http://www.w3.org/2001/XMLSchema#string" 1087 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1088 MustBePresent="false" 1089 /> 1090 </Match> 1091 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1092 <AttributeValue 1093 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 1094 <AttributeDesignator 1095 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain" 1096 DataType="http://www.w3.org/2001/XMLSchema#string" 1097 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 1098 MustBePresent="false" 1099 /> 1100 </Match> 1101 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match"> 1102 <AttributeValue 1103 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 1104 <AttributeDesignator 1105 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 1106 DataType="urn:oasis:names:tc:xacml:1.0:rfc822Name" 1107 Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject" 1108 MustBePresent="false" 1109 /> 1110 </Match> 1111 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1112 <AttributeValue 1113 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 1114 <AttributeDesignator 1115 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain" 1116 DataType="http://www.w3.org/2001/XMLSchema#string" 1117 Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject" 1118 MustBePresent="false" 1119 /> 1120 </Match> 1121 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-match"> 1122 <AttributeValue 1123 DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern" 1124 >*.acme.com</AttributeValue> 1125 <AttributeDesignator 1126 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 1127 DataType="urn:oasis:names:tc:xacml:2.0:data-type:dnsName-value" 1128 Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine" 1129 MustBePresent="false" 1130 /> 1131 </Match> 1132 </AllOf> 1133 </AnyOf> 1134 </Target> 1135 <ObligationExpressions> 1136 <ObligationExpression 1137 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking" 1138 FulfillOn="Permit"> 1139 <AttributeAssignmentExpression 1140 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1141 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 1142 <AttributeDesignator 1143 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1144 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1145 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1146 MustBePresent="false" 1147 /> 1148 </AttributeAssignmentExpression> 53xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 54Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 27 of 48 1149 </ObligationExpression> 1150 <ObligationExpression 1151 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt" 1152 FulfillOn="Permit"> 1153 <AttributeAssignmentExpression 1154 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1155 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 1156 <AttributeDesignator 1157 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1158 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1159 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1160 MustBePresent="false" 1161 /> 1162 </AttributeAssignmentExpression> 1163 </ObligationExpression> 1164 </ObligationExpressions> 1165 </Rule> 1166 </Policy> 1167</p><p>11684.1.4 Prevent sensitive data from being copied/printed from one computer 1169 to another 1170 Acme security policy disallows copying highly sensitive data from a hardened computer to other 1171 computers. Any attempt to copy must fail. Sample attributes and values are listed below. 1172 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location fortress.acme.com 1173 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1174 Requesting Machine Attributes Values Subject-ID alice-desktop.acme.com 1175 Recipient Machine Attributes Values Subject-ID public-facing.acme.com 1176 Action Attributes Values Action-ID Copy or Print</p><p>11774.1.4.1 Description 1178 This sample policy can be summarized as follows: 1179 1180 Target: This policy is only applicable to Resource-location = “fortress.acme.com” 1181 AND Resource-ID contains “confidential.acme.com” 1182 1183 Rule: This rule is only applicable if Action-ID = “Copy” or “Print”</p><p>55xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 56Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 28 of 48 1184 Then if 1185 Requesting-Machine.Subject-ID = Recipient-Machine.Subject-ID 1186 PERMIT 1187 1188 Obligation: 1189 On PERMIT mark AND encrypt the resource.</p><p>11904.1.4.2 Sample Implementation in XACML 3.0 1191 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 1192 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase414" 1193 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 1194 applicable" 1195 Version="1.0"> 1196 <Description>4.1.4 Prevent sensitive data from being copied/printed from one computer 1197 to another</Description> 1198 <Target> 1199 <AnyOf> 1200 <AllOf> 1201 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal"> 1202 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1203 >fortress.acme.com</AttributeValue> 1204 <AttributeDesignator 1205 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 1206 DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1207 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1208 MustBePresent="false"/> 1209 </Match> 1210 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains"> 1211 <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string 1212 >confidential.acme.com</AttributeValue> 1213 <AttributeDesignator 1214 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1215 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1216 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1217 MustBePresent="false" 1218 /> 1219 </Match> 1220 </AllOf> 1221 </AnyOf> 1222 </Target> 1223 <Rule 1224 Effect="Permit" 1225 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase414.copyOrPrint"> 1226 <Description>This rule is only applicable if Action-ID = "Copy" or 1227 "Print"</Description> 1228 <Target> 1229 <AnyOf> 1230 <AllOf> 1231 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1232 <AttributeValue 1233 DataType="http://www.w3.org/2001/XMLSchema#string">Copy</AttributeValue> 1234 <AttributeDesignator 1235 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 1236 DataType="http://www.w3.org/2001/XMLSchema#string" 1237 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1238 MustBePresent="false" 1239 /> 1240 </Match> 1241 </AllOf> 1242 <AllOf> 1243 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1244 <AttributeValue 1245 DataType="http://www.w3.org/2001/XMLSchema#string">Print</AttributeValue> 1246 <AttributeDesignator 1247 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 1248 DataType="http://www.w3.org/2001/XMLSchema#string" 1249 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"</p><p>57xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 58Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 29 of 48 1250 MustBePresent="false" 1251 /> 1252 </Match> 1253 </AllOf> 1254 </AnyOf> 1255 </Target> 1256 <Condition> 1257 <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:ipAddress-value-equal"> 1258 <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-one-and-only" > 1259 <AttributeDesignator 1260 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 1261 DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress-value" 1262 Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine" 1263 MustBePresent="false" 1264 /> 1265 </Apply> 1266 <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-one-and-only" > 1267 <AttributeDesignator 1268 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 1269 DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress-value" 1270 Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-machine" 1271 MustBePresent="false" 1272 /> 1273 </Apply> 1274 </Apply> 1275 </Condition> 1276 <ObligationExpressions> 1277 <ObligationExpression 1278 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking" 1279 FulfillOn="Permit"> 1280 <AttributeAssignmentExpression 1281 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1282 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 1283 <AttributeDesignator 1284 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1285 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1286 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1287 MustBePresent="false" 1288 /> 1289 </AttributeAssignmentExpression> 1290 </ObligationExpression> 1291 <ObligationExpression 1292 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt" 1293 FulfillOn="Permit"> 1294 <AttributeAssignmentExpression 1295 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1296 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 1297 <AttributeDesignator 1298 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1299 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1300 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1301 MustBePresent="false" 1302 /> 1303 </AttributeAssignmentExpression> 1304 </ObligationExpression> 1305 </ObligationExpressions> 1306 </Rule> 1307 </Policy> 1308</p><p>13094.1.5 Prevent sensitive data from being transferred to removable media 1310 Acme security policy prohibits the transfer of sensitive data to removable media, such as CDs, 1311 DVDs, and USB drives. Any attempt to copy data to removable media must fail. Sample attributes 1312 and values are provided below: 1313 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml</p><p>59xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 60Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 30 of 48 Resource-location webserver1.acme.com 1314 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1315 Requesting Machine Attributes Values Subject-ID alice-laptop.acme.com 1316 Recipient Machine Attributes Values Removable-media true 1317 Action Attributes Values Action-ID Copy or Print</p><p>13184.1.5.1 Description 1319 This sample policy can be summarized as follows: 1320 1321 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 1322 AND Resource-ID contains “confidential.acme.com” 1323 1324 Rule: This rule is only applicable if Action-ID = “Copy” 1325 Then if 1326 Access-Subject.Subject-Security-Domain = “acme.com” AND 1327 Requesting-Machine.Subject-ID matches “*.acme.com” AND 1328 Recipient-Machine.Removable-Media = “TRUE” THEN 1329 DENY</p><p>13304.1.5.2 Sample Implementation in XACML 3.0 1331 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 1332 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase415" 1333 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 1334 applicable" 1335 Version="1.0"> 1336 <Description>4.1.5 Prevent sensitive data from being transferred to removable 1337 media</Description> 1338 <Target> 1339 <AnyOf> 1340 <AllOf> 1341 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal"> 1342 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1343 >webserver1.acme.com</AttributeValue> 1344 <AttributeDesignator 1345 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 1346 DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1347 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1348 MustBePresent="false"/> 1349 </Match> 1350 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains"></p><p>61xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 62Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 31 of 48 1351 <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string 1352 >confidential.acme.com</AttributeValue> 1353 <AttributeDesignator 1354 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1355 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1356 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1357 MustBePresent="false" 1358 /> 1359 </Match> 1360 </AllOf> 1361 </AnyOf> 1362 </Target> 1363 <Rule 1364 Effect="Deny" 1365 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase415.copy"> 1366 <Description>Rule: This rule is only applicable if Action-ID = Copy</Description> 1367 <Target> 1368 <AnyOf> 1369 <AllOf> 1370 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1371 <AttributeValue 1372 DataType="http://www.w3.org/2001/XMLSchema#string">Copy</AttributeValue> 1373 <AttributeDesignator 1374 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 1375 DataType="http://www.w3.org/2001/XMLSchema#string" 1376 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1377 MustBePresent="false" 1378 /> 1379 </Match> 1380 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1381 <AttributeValue 1382 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 1383 <AttributeDesignator 1384 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain" 1385 DataType="http://www.w3.org/2001/XMLSchema#string" 1386 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 1387 MustBePresent="false" 1388 /> 1389 </Match> 1390 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-match"> 1391 <AttributeValue 1392 DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern" 1393 >*.acme.com</AttributeValue> 1394 <AttributeDesignator 1395 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 1396 DataType="urn:oasis:names:tc:xacml:2.0:data-type:dnsName-value" 1397 Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine" 1398 MustBePresent="false" 1399 /> 1400 </Match> 1401 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> 1402 <AttributeValue 1403 DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue> 1404 <AttributeDesignator 1405 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:removable-media" 1406 DataType="http://www.w3.org/2001/XMLSchema#boolean" 1407 Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-machine" 1408 MustBePresent="false" 1409 /> 1410 </Match> 1411 </AllOf> 1412 </AnyOf> 1413 </Target> 1414 </Rule> 1415 </Policy> 1416</p><p>63xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 64Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 32 of 48 14174.1.6 Prevent sensitive data from being transferred to disallowed URLs 1418 Acme security policy prohibits sensitive data from being transferred outside the organization to 1419 specific sites. Alice attempts to upload a sensitive document, but the attempt fails. Sample 1420 attributes and values follow: 1421 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 1422 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1423 Requesting Machine Attributes Values Subject-ID alice-laptop.acme.com 1424 Recipient Machine Attributes Values Subject-ID cloudstoragesite.com 1425 Action Attributes Values Action-Protocol HTTP</p><p>14264.1.6.1 Description 1427 This sample policy can be summarized as follows: 1428 1429 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 1430 1431 Rule: This rule is only applicable if Resource-ID contains “confidential.acme.com” 1432 Then if 1433 Action-Protocol contains “HTTP” OR 1434 Action-Protocol contains “FTP” THEN 1435 DENY 1436 1437 Obligation: 1438 On DENY log transfer attempt.</p><p>14394.1.6.2 Sample Implementation in XACML 3.0 1440 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 1441 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase416" 1442 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 1443 applicable" 1444 Version="1.0"> 1445 <Description>4.1.6 Prevent sensitive data from being transferred to disallowed 1446 URLs</Description></p><p>65xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 66Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 33 of 48 1447 <Target> 1448 <AnyOf> 1449 <AllOf> 1450 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal"> 1451 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1452 >webserver1.acme.com</AttributeValue> 1453 <AttributeDesignator 1454 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 1455 DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1456 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1457 MustBePresent="false"/> 1458 </Match> 1459 </AllOf> 1460 </AnyOf> 1461 </Target> 1462 <Rule 1463 Effect="Deny" 1464 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase416.confidentialDomain"> 1465 <Description>This rule is only applicable if Resource-ID contains 1466 "confidential.acme.com"</Description> 1467 <Target> 1468 <AnyOf> 1469 <AllOf> 1470 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains"> 1471 <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string 1472 >confidential.acme.com</AttributeValue> 1473 <AttributeDesignator 1474 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1475 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1476 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1477 MustBePresent="false" 1478 /> 1479 </Match> 1480 </AllOf> 1481 </AnyOf> 1482 <AnyOf> 1483 <AllOf> 1484 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1485 <AttributeValue 1486 DataType="http://www.w3.org/2001/XMLSchema#string">HTTP</AttributeValue> 1487 <AttributeDesignator 1488 AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol" 1489 DataType="http://www.w3.org/2001/XMLSchema#string" 1490 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1491 MustBePresent="false" 1492 /> 1493 </Match> 1494 </AllOf> 1495 <AllOf> 1496 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1497 <AttributeValue 1498 DataType="http://www.w3.org/2001/XMLSchema#string">FTP</AttributeValue> 1499 <AttributeDesignator 1500 AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol" 1501 DataType="http://www.w3.org/2001/XMLSchema#string" 1502 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1503 MustBePresent="false" 1504 /> 1505 </Match> 1506 </AllOf> 1507 </AnyOf> 1508 </Target> 1509 <ObligationExpressions> 1510 <ObligationExpression 1511 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log-transfer- 1512 attempt" 1513 FulfillOn="Deny"> 1514 <AttributeAssignmentExpression 1515 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1516 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 1517 <AttributeDesignator 1518 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1519 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 67xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 68Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 34 of 48 1520 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1521 MustBePresent="false" 1522 /> 1523 </AttributeAssignmentExpression> 1524 <AttributeAssignmentExpression 1525 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 1526 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> 1527 <AttributeValue 1528 DataType="http://www.w3.org/2001/XMLSchema#string">Transfer</AttributeValue> 1529 </AttributeAssignmentExpression> 1530 </ObligationExpression> 1531 </ObligationExpressions> 1532 </Rule> 1533 </Policy> 1534</p><p>15354.1.7 Prevent sensitive data from being copied from one resource to 1536 another 1537 Acme security policy prohibits copying proprietary information from one resource to another. Alice 1538 attempts to copy sensitive data from one resource to a new one she just created. The request 1539 fails. Sample attributes and values are listed below. 1540 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 1541 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1542 Action Attributes Values Action-ID Copy</p><p>15434.1.7.1 Description 1544 This sample policy can be summarized as follows: 1545 1546 Target: This policy is only applicable if Resource-location = “webserver1.acme.com” 1547 AND Resource-ID contains “confidential.acme.com” 1548 1549 Rule: This rule is only applicable if Action-ID = “Copy” 1550 Then if 1551 Access-Subject.Subject-Security-Domain = “acme.com” 1552 DENY 1553 1554 Obligation: 1555 On DENY log copy attempt. 1556</p><p>69xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 70Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 35 of 48 15574.1.7.2 Sample Implementation in XACML 3.0 1558 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 1559 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase417" 1560 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 1561 applicable" 1562 Version="1.0"> 1563 <Description>4.1.7 Prevent sensitive data from being copied from one resource to 1564 another</Description> 1565 <Target> 1566 <AnyOf> 1567 <AllOf> 1568 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal"> 1569 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1570 >webserver1.acme.com</AttributeValue> 1571 <AttributeDesignator 1572 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 1573 DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1574 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1575 MustBePresent="false"/> 1576 </Match> 1577 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains"> 1578 <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string 1579 >confidential.acme.com</AttributeValue> 1580 <AttributeDesignator 1581 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1582 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1583 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1584 MustBePresent="false" 1585 /> 1586 </Match> 1587 </AllOf> 1588 </AnyOf> 1589 </Target> 1590 <Rule 1591 Effect="Deny" 1592 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase417.copy"> 1593 <Description>This rule is only applicable if Action-ID contains "Copy"</Description> 1594 <Target> 1595 <AnyOf> 1596 <AllOf> 1597 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1598 <AttributeValue 1599 DataType="http://www.w3.org/2001/XMLSchema#string">Copy</AttributeValue> 1600 <AttributeDesignator 1601 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 1602 DataType="http://www.w3.org/2001/XMLSchema#string" 1603 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1604 MustBePresent="false" 1605 /> 1606 </Match> 1607 </AllOf> 1608 </AnyOf> 1609 <AnyOf> 1610 <AllOf> 1611 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1612 <AttributeValue 1613 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 1614 <AttributeDesignator 1615 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain" 1616 DataType="http://www.w3.org/2001/XMLSchema#string" 1617 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 1618 MustBePresent="false" 1619 /> 1620 </Match> 1621 </AllOf> 1622 </AnyOf> 1623 </Target> 1624 <ObligationExpressions> 1625 <ObligationExpression 1626 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log-transfer- 1627 attempt"</p><p>71xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 72Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 36 of 48 1628 FulfillOn="Deny"> 1629 <AttributeAssignmentExpression 1630 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1631 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 1632 <AttributeDesignator 1633 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1634 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1635 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1636 MustBePresent="false" 1637 /> 1638 </AttributeAssignmentExpression> 1639 <AttributeAssignmentExpression 1640 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 1641 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> 1642 <AttributeDesignator 1643 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 1644 DataType="http://www.w3.org/2001/XMLSchema#string" 1645 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1646 MustBePresent="false" 1647 /> 1648 </AttributeAssignmentExpression> 1649 </ObligationExpression> 1650 </ObligationExpressions> 1651 </Rule> 1652 </Policy> 1653</p><p>16544.1.8 Prevent sensitive data from being read/modified by unauthorized 1655 applications 1656 Acme security policy prohibits unapproved applications from reading and modifying sensitive data. 1657 Alice attempts to open a sensitive document with an unauthorized application. The request fails. 1658 Sample attributes and values are listed below. 1659 Resource Attributes Values Resource-ID http://confidential.acme.com/eyes-only.xml Resource-location webserver1.acme.com 1660 Access Subject Attributes Values Subject-ID Alice Subject-Security-Domain acme.com 1661 Codebase Attribute Values Authorized-application false 1662 Action Attributes Values Action-Protocol HTTP</p><p>16634.1.8.1 Description 1664 This sample policy can be summarized as follows: 1665 1666 Target: This policy is only applicable to Resource-location = “webserver1.acme.com” 1667 AND Resource-ID contains “confidential.acme.com”</p><p>73xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 74Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 37 of 48 1668 1669 Rule: This rule is only applicable if Action-Protocol contains “HTTP” 1670 Then if 1671 Access-Subject.Subject-Security-Domain = “acme.com” AND Authorized-application = false 1672 DENY 1673 1674 Obligation: 1675 On DENY log attempt to use an authorized application</p><p>16764.1.8.2 Sample Implementation in XACML 3.0 1677 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 1678 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase418" 1679 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 1680 applicable" 1681 Version="1.0"> 1682 <Description>4.1.8 Prevent sensitive data from being read/modified by unauthorized 1683 applications</Description> 1684 <Target> 1685 <AnyOf> 1686 <AllOf> 1687 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal"> 1688 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1689 >webserver1.acme.com</AttributeValue> 1690 <AttributeDesignator 1691 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 1692 DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value" 1693 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1694 MustBePresent="false"/> 1695 </Match> 1696 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains"> 1697 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" 1698 >confidential.acme.com</AttributeValue> 1699 <AttributeDesignator 1700 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1701 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1702 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1703 MustBePresent="false" 1704 /> 1705 </Match> 1706 </AllOf> 1707 </AnyOf> 1708 </Target> 1709 <Rule 1710 Effect="Deny" 1711 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase418.httpProtocol"> 1712 <Description>This rule is only applicable if Action-Protocol contains 1713 HTTP</Description> 1714 <Target> 1715 <AnyOf> 1716 <AllOf> 1717 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1718 <AttributeValue 1719 DataType="http://www.w3.org/2001/XMLSchema#string">HTTP</AttributeValue> 1720 <AttributeDesignator 1721 AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol" 1722 DataType="http://www.w3.org/2001/XMLSchema#string" 1723 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1724 MustBePresent="false" 1725 /> 1726 </Match> 1727 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1728 <AttributeValue 1729 DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue> 1730 <AttributeDesignator 1731 AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"</p><p>75xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 76Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 38 of 48 1732 DataType="http://www.w3.org/2001/XMLSchema#string" 1733 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 1734 MustBePresent="false" 1735 /> 1736 </Match> 1737 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> 1738 <AttributeValue 1739 DataType="http://www.w3.org/2001/XMLSchema#boolean">false</AttributeValue> 1740 <AttributeDesignator 1741 AttributeId="urn:oasis:names:tc:xacml:3.0:codebase:authorized-application" 1742 DataType="http://www.w3.org/2001/XMLSchema#boolean" 1743 Category="urn:oasis:names:tc:xacml:1.0:subject-category:codebase" 1744 MustBePresent="false" 1745 /> 1746 </Match> 1747 </AllOf> 1748 </AnyOf> 1749 </Target> 1750 <ObligationExpressions> 1751 <ObligationExpression 1752 ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log-transfer- 1753 attempt" 1754 FulfillOn="Deny"> 1755 <AttributeAssignmentExpression 1756 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1757 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> 1758 <AttributeDesignator 1759 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 1760 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 1761 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1762 MustBePresent="false" 1763 /> 1764 </AttributeAssignmentExpression> 1765 <AttributeAssignmentExpression 1766 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 1767 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> 1768 <AttributeValue 1769 DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue> 1770 </AttributeAssignmentExpression> 1771 </ObligationExpression> 1772 </ObligationExpressions> 1773 </Rule> 1774 </Policy></p><p>17754.2 NAC use case examples</p><p>17764.2.1 Prevent traffic flow between network resources, based on protocol 1777 Acme security policy prohibits sensitive data from being transferred using unsecure protocols. 1778 Alice attempts to retrieve a document resource on a server using the ftp protocol, in which case 1779 the attempt fails. 1780 Resource Attributes Values Resource-location 192.168.0.1 1781 Access Subject Attributes Values Subject-ID CN=Alice, OU=Contractor, O=Acme, C=US 1782 Action Attributes Values Action-Protocol FTP</p><p>77xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 78Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 39 of 48 17834.2.1.1 Description 1784 This sample policy can be summarized as follows: 1785 1786 Target: This policy is only applicable if Subject-ID ends with “O=Acme,C=US” 1787 1788 Rule: 1789 If Action-Protocol = “FTP” 1790 DENY</p><p>17914.2.1.2 Sample Implementation in XACML 3.0 1792 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 1793 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase421" 1794 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 1795 applicable" 1796 Version="1.0"> 1797 <Description>4.2.1 Prevent traffic flow between network resources, based on 1798 protocol</Description> 1799 <Target> 1800 <AnyOf> 1801 <AllOf> 1802 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:x500Name-match"> 1803 <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" 1804 >O=Acme,C=US</AttributeValue> 1805 <AttributeDesignator 1806 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 1807 DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" 1808 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 1809 MustBePresent="false"/> 1810 </Match> 1811 </AllOf> 1812 </AnyOf> 1813 </Target> 1814 <Rule 1815 Effect="Deny" 1816 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase421.ftpProtocol"> 1817 <Description>This rule is only applicable if Action-Protocol equals FTP</Description> 1818 <Target> 1819 <AnyOf> 1820 <AllOf> 1821 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1822 <AttributeValue 1823 DataType="http://www.w3.org/2001/XMLSchema#string">FTP</AttributeValue> 1824 <AttributeDesignator 1825 AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol" 1826 DataType="http://www.w3.org/2001/XMLSchema#string" 1827 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1828 MustBePresent="false" 1829 /> 1830 </Match> 1831 </AllOf> 1832 </AnyOf> 1833 </Target> 1834 </Rule> 1835 </Policy> 1836</p><p>18374.2.2 Restrict users to certain network resources, based on subject-id 1838 Acme security policy restricts access to certain secure access zones based on an authenticated 1839 subject DN of a user when using certificate-based authentication and the destination IP address. 1840 Alice, a contractor at Acme, attempts access a server containing sensitive data within a secure 1841 access zone, but is denied based on her subject-id OU value.</p><p>79xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 80Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 40 of 48 1842 Resource Attributes Values Resource-location 10.0.0.1 1843 Access Subject Attributes Values Subject-ID CN=Alice, OU=Contractor, O=Acme, C=US 1844 Action Attributes Values Action-Protocol HTTP Action-Method GET</p><p>18454.2.2.1 Description 1846 This sample policy can be summarized as follows: 1847 1848 Target: This policy is only applicable to resource type Resource-location = 10\.\d*\.\d*\.\d* 1849 1850 Rule: This rule is only applicable if Subject-ID ends with “O=Employee,O=Acme,C=US” 1851 Then if 1852 Action-Protocol = “HTTP” AND 1853 Action-Method = “GET” 1854 THEN 1855 PERMIT</p><p>18564.2.2.2 Sample Implementation in XACML 3.0 1857 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 1858 PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase422" 1859 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first- 1860 applicable" 1861 Version="1.0"> 1862 <Description>4.2.2 Restrict users to certain network resources, based on subject- 1863 id</Description> 1864 <Target> 1865 <AnyOf> 1866 <AllOf> 1867 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:ipAddress-match"> 1868 <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern" 1869 >10.0.0.0-10.255.255.255</AttributeValue> 1870 <AttributeDesignator 1871 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" 1872 DataType="urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value" 1873 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 1874 MustBePresent="false"/> 1875 </Match> 1876 </AllOf> 1877 </AnyOf> 1878 </Target> 1879 <Rule 1880 Effect="Permit" 1881 RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase422.employee"> 1882 <Description>This rule is only applicable if subject-id ends with 1883 O=Employee,O=Acme,C=US</Description> 1884 <Target> 1885 <AnyOf> 1886 <AllOf> 1887 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:x500Name-match"></p><p>81xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 82Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 41 of 48 1888 <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" 1889 >O=Employee,O=Acme,C=US</AttributeValue> 1890 <AttributeDesignator 1891 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 1892 DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" 1893 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 1894 MustBePresent="false"/> 1895 </Match> 1896 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1897 <AttributeValue 1898 DataType="http://www.w3.org/2001/XMLSchema#string">HTTP</AttributeValue> 1899 <AttributeDesignator 1900 AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol" 1901 DataType="http://www.w3.org/2001/XMLSchema#string" 1902 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1903 MustBePresent="false"/> 1904 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 1905 <AttributeValue 1906 DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> 1907 <AttributeDesignator 1908 AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-method" 1909 DataType="http://www.w3.org/2001/XMLSchema#string" 1910 Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 1911 MustBePresent="false"/> 1912 </Match> 1913 </AllOf> 1914 </AnyOf> 1915 </Target> 1916 </Rule> 1917 </Policy> 1918</p><p>83xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 84Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 42 of 48 19195 Conformance 1920Conformance to this profile is defined for policies and requests generated and transmitted within and 1921between XACML systems.</p><p>19225.1 IP Address and DNS Name Datatypes and Functions 1923Conformant XACML policies and requests SHALL use the IP Address and DNS Name datatypes and 1924functions defined in Section 2 for their specified purpose and SHALL NOT use any other identifiers for the 1925purposes defined by attributes in this profile. Conformant XACML PDPs SHALL implement these 1926datatypes and functions. The following table lists the datatypes and functions that must be supported. 1927Note: “M” is mandatory “O” is optional. 1928 Identifiers</p><p> urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value M</p><p> urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern M</p><p> urn:oasis:names:tc:xacml:3.0:function:ipAddress-match M</p><p> urn:oasis:names:tc:xacml:3.0:function:ipAddress-endpoint-match M</p><p> urn:oasis:names:tc:xacml:3.0:function:ipAddress-value-equal M</p><p> urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value M</p><p> urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern M</p><p> urn:oasis:names:tc:xacml:3.0:function:dnsName-match M</p><p> urn:oasis:names:tc:xacml:3.0:function:dnsName-endpoint-match M</p><p> urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal M</p><p>1929</p><p>19305.2 Category Identifiers 1931Conformant XACML policies and requests SHALL use the category identifiers defined in Section 2 for 1932their specified purpose and SHALL NOT use any other identifiers for the purposes defined by categories 1933in this profile. The following table lists the categories that must be supported. 1934Note: “M” is mandatory “O” is optional. 1935 Identifiers</p><p> urn:oasis:names:tc:xacml:1.0:subject-category:access-subject M</p><p>85xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 86Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 43 of 48 urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject M</p><p> urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine M</p><p> urn:oasis:names:tc:xacml:3.0:subject-category:recipient-machine M</p><p> urn:oasis:names:tc:xacml:1.0:subject-category:codebase M</p><p> urn:oasis:names:tc:xacml:3.0:attribute-category:action M</p><p>1936</p><p>19375.3 Attribute Identifiers 1938Conformant XACML policies and requests SHALL use the attribute identifiers defined in Section 2 for 1939their specified purpose and SHALL NOT use any other identifiers for the purposes defined by attributes in 1940this profile. The following table lists the attributes that must be supported. 1941Note: “M” is mandatory “O” is optional. 1942 Identifiers</p><p> urn:oasis:names:tc:xacml:1.0:resource:resource-id M</p><p> urn:oasis:names:tc:xacml:1.0:resource:resource-location M</p><p> urn:oasis:names:tc:xacml:1.0:subject:subject-id M</p><p> urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain M</p><p> urn:oasis:names:tc:xacml:3.0:subject:removable-media M</p><p> urn:oasis:names:tc:xacml:1.0:subject:authentication-time M</p><p> urn:oasis:names:tc:xacml:1.0:subject:authentication-method M</p><p> urn:oasis:names:tc:xacml:1.0:subject:request-time M</p><p> urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address M</p><p> urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name M</p><p> urn:oasis:names:tc:xacml:3.0:codebase:authorized-application M</p><p> urn:oasis:names:tc:xacml:1.0:action:action-id M</p><p> urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol M</p><p> urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-method M</p><p>87xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 88Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 44 of 48 urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt M</p><p> urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking M</p><p>19435.4 Attribute Values 1944Conformant XACML policies and requests SHALL use attribute values in the specified range or patterns 1945as defined for each attribute in Section 2 (when a range or pattern is specified). 1946 NOTE: In order to process conformant XACML policies and requests correctly, PIP and 1947 PEP modules may have to translate native data values into the datatypes and formats 1948 specified in this profile.</p><p>89xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 90Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 45 of 48 1949Appendix A. Acknowledgments</p><p>1950The following individuals have participated in the creation of this specification and are gratefully 1951acknowledged: 1952Participants: 1953 John Tolbert, The Boeing Company 1954 Richard Hill, The Boeing Company 1955 Crystal Hayes, The Boeing Company 1956 David Brossard, Axiomatics AB 1957 Hal Lockhart, Oracle 1958 Steven Legg, ViewDS 1959Committee members during profile development:</p><p>Person Organization Role </p><p>1960</p><p>91xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 92Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 46 of 48 1961Appendix B. Revision History</p><p>1962 Revision Date Editor Changes Made WD 1 8/21/2013 John Tolbert Initial committee draft. WD 2 9/6/2013 John Tolbert, Richard Added glossary terms, text for use cases and Hill, Crystal Hayes examples, attributes for recipient machine and recipient-removable-media, and data-types for macAddress. WD 3 10/18/2013 John Tolbert, David Added glossary terms, edited text, added Brossard sample policy for use case example 1. WD 4 11/18/2013 Hal Lockhart Added IP Address and DNS Name datatypes and functions. Adjusted attribute definitions and example to use new datatypes. Added them to conformance section. WD 5 3/18/2014 John Tolbert Separated action-id, action-protocol, and action-method. Moved authorized-application from subject to codebase category. WD 6 6/10/2014 John Tolbert, Richard Added Log obligation, inserted policy Hill, Hal Lockhart examples, fixed typos and some word changes. Removed Mask from IP address datatypes. Removed network match function. Replaced IP address wildcards with IP address range list. WD 7 6/26/2014 Hal Lockhart Fixed typo in ipAddress-pattern definition. Corrected typos, conformance to profile and datatype mismatches in examples WD 8 7/30/2014 Steven Legg Defined a recipient-machine subject category to hold attributes of the machine to which access is intended to be granted. Defined a JSON short name for recipient- machine and added a reference to the JSON Profile. Replaced recipient-subject-id, requesting- machine and recipient-machine attributes with the subject-id attribute in the recipient-subject, requesting-machine and recipient-machine subject categories respectively. Replaced subject-id-qualifier attribute with a new subject-security-domain attribute that is a better fit for the purpose. Moved and renamed recipient-subject-id- qualifier to subject-security-domain in the recipient-subject category. Replaced the recipient-removable-media attribute with the removable-media attribute in </p><p>93xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 94Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 47 of 48 the recipient-machine category. Updated the examples in section 4 to reflect the preceding changes. Rewrote the XACML policy in example 4.1.2.2 to be consistent with its high level description. Added a missing term for (Action-ID = “Copy”) into the XACML policy in section 4.1.5.2. Tweaked the matching of DNs in the examples in section 4.2 and added sample XACML policies. Added category identifiers to the Conformance section and revised the attribute identifiers. WD09 7/30/2014 Steven Legg Accepted the changes to WD08.</p><p>1963</p><p>95xacml-3.0-dlp-nac-v1.0-csprd01 02 October 2014 96Standards Track Work Product Copyright © OASIS Open 2014. All Rights Reserved. Page 48 of 48</p>