<?xml version="1.0" encoding="UTF-8" ?>

<!-- this is the specification of the RBAC policy language, version 3  
Copyright 2001 University of Salford. 
Written by e ball, d w chadwick, a otenko july 2001-->


<!ELEMENT X.509_PMI_RBAC_Policy 
      (SubjectPolicy, RoleHierarchyPolicy, SOAPolicy, RoleAssignmentPolicy, 
	TargetPolicy,ActionPolicy, TargetAccessPolicy) >
<!ATTLIST X.509_PMI_RBAC_Policy OID CDATA #REQUIRED>




<!ELEMENT SubjectPolicy (SubjectDomainSpec)+ >

<!-- At least one subject domain must be specified. (However this could be 
every subject in the whole world.) -->

<!ELEMENT SubjectDomainSpec ((Include, Exclude* )+) >

<!-- Subject Domain must contain at least one LDAP sub-tree. 
We do not support single entries at the moment. 
(So if a new sub-node is created, and it is not in the Exclude statement, 
it will be allowed.) -->

<!ATTLIST SubjectDomainSpec ID ID #REQUIRED>

<!-- ID is the unique identifier of the SubjectDomain, which is used to refer 
to the domain throughout the policy. Policy administrators should ensure they 
use valid XML identifiers for this purpose. XML-parsers will give an error if 
an administrator attempts to refer to an object that is not defined as an XML 
attribute. However, this does not stop administrators refering to objects of 
the wrong type (e.g., to a Target Domain instead of a Subject Domain), 
so the references should be input with care. -->

<!ELEMENT Include EMPTY >
<!ATTLIST Include LDAPDN CDATA #IMPLIED
	Min CDATA #IMPLIED
	Max CDATA #IMPLIED>

<!--  	LDAPDN is an LDAP DN from RFC 2253.
	A null (implied) LDAPDN specifies every subject in the world. 
(this could be used for example to give public access rights to a target).
	Min and Max specify the minimum and maximum depths at which the subtree 
starts and ends, respectively. If explicit values are omitted, Min defaults to 0 
(the subtree root) and Max defaults to infinity (the subtree leaves -->

<!ELEMENT Exclude EMPTY >
<!ATTLIST Exclude LDAPDN CDATA #REQUIRED
	Min CDATA #IMPLIED
	Max CDATA #IMPLIED>

<!--  Exclude is used to exclude subtrees from within an included subtree 
	LDAPDN is an LDAP DN from RFC 2253. Max and Min have the same semantics
as for the Include subtree specification. -->




<!ELEMENT RoleHierarchyPolicy (RoleSpec)+ >

<!-- A Role comprises a role attribute type and a role attribute value.
Rolespec contains the hierarchical relationships between the role attribute
values. At least one Rolespec must be defined and there is only one RoleSpec 
for each role attribute type -->

<!ELEMENT RoleSpec (SupRole)+ >

<!-- SupRole corresponds to a role in the hierarchy than may have one or more 
subordinate roles. The hierarchy is a directed graph, and may have numerous 
roots (that is why more than one SupRole is needed).  -->

<!ATTLIST RoleSpec Type ID #REQUIRED
		OID CDATA #REQUIRED >
<!-- RoleSpec type is a string, typically the LDAP attribute type name for the
attribute in the role assignment AC.
RoleSpec OID is the object identifier of the attribute type in the role 
assignment AC -->

<!ELEMENT SupRole (SubRole)* >
<!ATTLIST SupRole Value ID #REQUIRED > 

<!-- Value is the attribute value of the SupRole. We have currently restricted 
the value to be an XML identifier, so that it can be referred to in other 
parts of the policy (for example as a SubRole). This restricts the role 
attribute syntax to be a PrintableString. (If this proves to be too 
restrictive we can replace ID by CDATA in a subsequent version of the 
policy.) -->

<!ELEMENT SubRole EMPTY >
<!ATTLIST SubRole Value IDREF #REQUIRED >

<!-- Value is a reference to a SupRole value defined elsewhere within this 
RoleSpec. -->




<!ELEMENT SOAPolicy (SOASpec)+ >

<!-- The SOA Policy contains security parameters of trusted SOAs. At the moment 
we do not need any parameters except the SOA's LDAP DN. Later we may want to 
specify Cross Certification rules here e.g. how to map policies and how to map 
external roles into internal roles of this security domain. -->
<!-- There must be at least one SOASpec: that for the policy creator -->

<!ELEMENT SOASpec EMPTY >
<!ATTLIST SOASpec ID ID #REQUIRED
	LDAPDN CDATA #REQUIRED >
<!-- The ID is a valid XML ID for reference to this SOA anywhere in this 
policy. The first SOASPec must contain the LDAP DN of the Policy Creator -->




<!ELEMENT RoleAssignmentPolicy (RoleAssignment)+ >

<!-- The RoleAssignmentPolicy combines together the SubjectPolicy, the role 
hierarchy policy and the SOA policy. It contains the allowed rolenames and 
types along with the SOAs who may allocate them to the subject domains. It 
also states what the delegation policy is for the roles, and the maximum 
validity time of the roles.  -->

<!ELEMENT RoleAssignment  (SubjectDomain,RoleList,Delegate,SOA,Validity) >

<!-- Subject Domain is a reference to a previously declared domain. It 
represents a domain of users to which this rule applies.
RoleList contains references to existing Roles declared in the 
RoleHierarchyPolicy. It defines the role(s) to which this rule applies.
Delegate specifies the delegation rules for the role(s).
SOA specifies who can issue the role(s). If a role assignment AC is not issued 
by the specified SOA (or one of its AAs if delegation is allowed) then it is
invalid. Validity specifies restrictions as to the validity time of the 
role(s) concerned. 
Note that there can be many RoleAssignment specifications for the same SOA -->

<!ELEMENT SubjectDomain EMPTY>
<!ATTLIST SubjectDomain ID IDREF #REQUIRED>
<!-- ID is a reference to a previously declared Subject Domain.-->

<!ELEMENT RoleList (Role+) >
<!-- Specifies a list of roles. -->

<!ELEMENT Role EMPTY >
<!ATTLIST Role Type IDREF #IMPLIED 
               Value IDREF #IMPLIED >

<!-- If Role Type is missing, any role may be assigned to a subject 
If Role Type is present and Role Value is missing, any value of the Role Type 
may be assigned. If both are present only this specific role type and value 
may be assigned. It is not allowed to have a specific role value without a role 
type -->

<!ELEMENT SOA EMPTY>
<!ATTLIST SOA ID IDREF #REQUIRED>
<!-- ID is a reference to a previously declared SOA. -->

<!ELEMENT Validity (Absolute?, Age?, Maximum?, Minimum? ) >
<!-- The RoleAssignmentPolicy Validity time serves to restrict the validity 
time of issued role assignment ACs, and to discard ACs that are too old, or are 
outside the 
bounds of the maximum and minimum validity periods. The actual validity time 
is the intersection of the policy absolute validity time and the AC validity 
time.
The Age sub-element specifies the maximum age of an AC, relative to the 
evaluation time. If the AC notBefore validity time precedes the Age, it will be 
discarded.The Maximum and Minimum sub-elements specify maximum and 
minimum periods, relative to the evaluation time, that an AC must be valid 
for, in order for it to be accepted -->

<!ELEMENT Absolute EMPTY>
<!ATTLIST Absolute Start CDATA #IMPLIED
                   End CDATA #IMPLIED >

<!-- Absolute Validity times are specified as date/time integer strings in 
	ISO8601 format 
		i.e. ccyy-mm-ddThh:mm:ss
	If start time is missing, the role assignment is valid from the 
beginning of time.
	If end time is missing, the role assignment is infinitely valid 
eg an absolute start of 1 feb with an AC validity of notBefore 1 Jan, the AC 
will not be accepted during January -->

<!ELEMENT Age EMPTY>
<!ATTLIST Age Time CDATA #IMPLIED >

<!ELEMENT Maximum EMPTY>
<!ATTLIST Maximum Time CDATA #IMPLIED >

<!ELEMENT Minimum EMPTY>
<!ATTLIST Minimum Time CDATA #IMPLIED >

<!-- Age, Maximum and Minimum times are specified as date/time integer strings 
of the form yy-mm-ddThh:mm:ss meaning this amount of time from now (the 
evaluation time). Trailing (zero) dates and times can be omitted i.e to specify 
2 months from now would 
be 00-02. Whilst Age goes back in time from now, both Maximum and Minimum go 
forward in time from now. For example, if the Age is specified as 02, then an AC 
that has a notBefore validity time of more than two years from the evaluation 
time will be discarded. if the Maximum time is specified as 00-02, then an AC 
that has a notAfter validity time more than two months from the evaluation time 
will be discarded. If minimum time is 00-00-01, then an AC that has a 
notAfter validity time less than one day from the evaluation time will be 
discarded. 
If Age is missing, the role AC does not have an age imposed on it.
If Maximum is missing, the role AC does not have a maximum validity time 
imposed on it.
If Minimum is missing, the role AC does not have a minimum validity time 
imposed on it -->


<!ELEMENT Delegate EMPTY >
<!ATTLIST Delegate Depth CDATA #IMPLIED >
<!-- Depth  is an integer that specifies the level of delegation that is 
allowed
	0 means no delegation is allowed (SOA->user direct)
	1 means 1 level of delegation is allowed (SOA->AA->user) etc. 
     if depth is missing infinite delegation is allowed  -->






<!ELEMENT TargetPolicy (TargetDomainSpec+) >

<!-- Target Policy specifies the possible target domains. 
At least one domain must be specified, even if it is the world. -->

<!ELEMENT TargetDomainSpec ((Include, Exclude*)+, ObjectClass* ) >
<!ATTLIST TargetDomainSpec ID ID #REQUIRED>

<!-- TargetDomain specifies one or more non-leaf LDAPDN subtrees, 
with optional excluded subtrees, 
whilst the optional object classes further
select targets with only all the specified object classes -->

<!ELEMENT ObjectClass EMPTY >
<!ATTLIST ObjectClass Name CDATA #REQUIRED >
<!-- Name is the LDAP object class name, which is known to the target (the AZN 
caller) -->



<!ELEMENT ActionPolicy   (Action+) >
<!-- An action is the smallest granularity of access to a target
Each action has a name and zero or more arguments -->

<!ELEMENT Action EMPTY>
<!ATTLIST Action Name NMTOKEN #REQUIRED 
                Args NMTOKENS #IMPLIED >
<!-- Name is the name of the action. (Refer to the target reference manual for 
names of methods it supports.)
Args is a list of zero or more argument names, as specified in the target 
reference manual. 
The sequence of the arguments is very important and must be the same as those 
passed by the AEF. -->





<!ELEMENT TargetAccessPolicy (TargetAccess)+ >
<!ELEMENT TargetAccess ( RoleList, TargetList, IF?) >
<!-- The target access policy comprises one or more target accesses. Each
TargetAccess allows an initiator with the specified set of roles to carry out 
the specified actions on the list of targets, but only if the conditions 
specified by the optional IF clause are true. The initiator must possess all of 
the roles in the RoleList in order to get access.  -->

<!ELEMENT TargetList (Target+ ) >
<!-- Target specifies a target instance or domain and the actions that can be 
carried out on it -->

<!ELEMENT Target (TargetName |TargetDomain) >
<!ATTLIST Target Actions NMTOKENS #IMPLIED >

<!-- Actions specify action identifiers, allowed on this target. If no Actions 
are
 specified then all actions are allowed -->

<!-- theTargetName option specifies the LDAPDN of a target instance (which must 
be
within a previously specified target domain)
the TargetDomain option refers to a previously defined target domain -->

<!ELEMENT TargetName EMPTY>
<!ATTLIST TargetName LDAPDN CDATA #REQUIRED>

<!ELEMENT TargetDomain EMPTY>
<!ATTLIST TargetDomain ID IDREF #REQUIRED>

<!-- the IF clause specifies the conditions which must be satisfied in order for 
the
 actions to be performed. A condition comprises
	a comparison operator
	an attribute source, attribute name and attribute type (the LHS of the 
operator)
	and a series of one or more attributes or constant values against which 
the first attribute is to be compared.
	Two possible sources are specified for the attributes: an argument from 
the action specified by the initiator, and the environment -->
	
<!ELEMENT IF 
      ( PRESENT | EQ | GT | LT | LE | GE |Subordinate | Substrings | 
	Subset | Superset | NonNullIntersection | ApproxEQ | Operator |
	AND | OR  | NOT ) >


<!ELEMENT PRESENT (Arg | Environment) >
<!-- Checks if the given entity is present: ie. if Arg has not been omitted 
from the action, or if the Environment parameter is defined. -->

<!ELEMENT Arg EMPTY>
<!ATTLIST Arg Name NMTOKEN #REQUIRED 
		Type NMTOKEN #REQUIRED>
<!-- This element specifies what argument of the action to compare. For 
comparison purposes, the type of the argument is needed, as well as its name. 
Certain types will be built in into interpreting software e.g. integer, boolean. 
There is also a way to provide extension of types, so that the interpreter 
becomes capable of interpreting values of unknown types. -->

<!ELEMENT Environment EMPTY>
<!ATTLIST Environment Parameter NMTOKEN #REQUIRED 
		Type NMTOKEN #REQUIRED >
<!-- This element specifies what environmental argument must be compared. The 
environment represents the Contextual ADI in ISO 10181-3 access control 
framework. Environmental parameters are application specific, and their names 
and types are specified by the AEF implementors. -->

<!ELEMENT EQ ((Arg | Environment), (Constant | Arg | Environment) ) >
<!-- Compares for equality. Comparison must be of values of the same or 
castable types -->
<!ELEMENT GT ((Arg | Environment), (Constant | Arg | Environment) ) >
<!-- Compares if the first value is greater than the second one -->
<!ELEMENT LT ((Arg | Environment), (Constant | Arg | Environment) ) >
<!-- Compares if the first value is less than the second one -->
<!ELEMENT LE ((Arg | Environment), (Constant | Arg | Environment) ) >
<!-- Compares if the first value is less than or equal to the second one -->
<!ELEMENT GE ((Arg | Environment), (Constant | Arg | Environment) ) >
<!-- Compares if the first value is greater than or equal to the second one -->
<!ELEMENT Subordinate ((Arg | Environment), (Constant | Arg | Environment) ) >
<!-- Compares if the first value is subordinate to the second one -->
<!ELEMENT Substrings ((Arg | Environment), (Constant | Arg | Environment) ) >
<!-- Checks if the first argument is a substring of the second. Both must be of 
type castable to string -->
<!ELEMENT Subset (Set, Set)  >
<!-- Compares if the first set is a subset of the second one -->
<!ELEMENT Superset (Set, Set) >
<!-- Compares if the first set is a superset of the second one -->
<!ELEMENT NonNullIntersection (Set, Set)  >
<!-- Compares if the intersection between the two sets contains at least one 
element -->
<!ELEMENT ApproxEQ ((Arg | Environment), (Constant | Arg | Environment) ) >
<!-- Compares if the first value is approximately equal to the second value. The 
meaning of approximate is defined by the application -->
<!ELEMENT Operator (Constant | Arg | Environment)* >
<!ATTLIST Operator Name CDATA #REQUIRED >
<!-- Operator is an extenisibily mechanism to allow policy setters to define 
new operators for the condition statements. The meaning of the operator Name 
and number of parameters it operates on is application specific. The PERMIS 
API will support the calling of new Java objects which implement new types and 
new operators -->


<!ELEMENT AND ( PRESENT | EQUAL | GT | LT | LE | GE |Subordinate | Substrings | 
	Subset | Superset | NonNullIntersection | ApproxEQ | Operator |
 	AND | OR  | NOT )+ >

<!ELEMENT OR ( PRESENT | EQUAL | GT | LT | LE | GE |Subordinate | Substrings | 
	Subset | Superset | NonNullIntersection | ApproxEQ | Operator |
	 AND | OR  | NOT )+ >

<!-- not only has a single child -->
<!ELEMENT NOT ( PRESENT | EQUAL | GT | LT | LE | GE | Subordinate | Substrings | 
	Subset | Superset | NonNullIntersection | ApproxEQ | Operator |
	AND | OR ) >



<!ELEMENT Constant EMPTY>
<!ATTLIST Constant Type NMTOKEN #REQUIRED
		Value CDATA #REQUIRED >


<!ELEMENT Set (Constant | Arg | Environment)+ >
<!-- Set can contain collections of values of different kinds and types. When 
being matched, the values of the same type are separated into subsets, on 
which the operation is performed, and the result is aggregated into a common 
set again. -->