Copyright © 2000-2003 International Business
Machines Corporation. All Rights Reserved.
This document is available under the W3C Document License. See the W3C Intellectual Rights Notices and Disclaimers for additional information.
This is the Enterprise Privacy Authorization Language (EPAL) technical specification. EPAL is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication.
An EPAL policy defines lists of hierarchies of data-categories, user-categories, and purposes, and sets of (privacy) actions, obligations, and conditions. user-categories are the entities (users/groups) that use collected data (e.g., travel expense department or tax auditor). Data-categories define different categories of collected data that are handled differently from a privacy perspective (e.g., medical-record vs. contact-data). Purposes model the intended service for which data is used (e.g., processing a travel expense reimbursement or auditing purposes).
Actions model how the data is used (e.g., disclose vs. read). Obligations define actions that must be taken by the environment of EPAL (e.g., delete after 30 days or get consent). Conditions are Boolean expressions that evaluate the context (e.g., "the user-category must be an adult" or "the user-category must be the primary care physician of the data-subject").
These elements are then used to formulate privacy authorization rules that allow or deny actions on data-categories by user-categories for certain purposes under certain conditions while mandating certain obligations. In order to allow for general rules and exceptions, EPAL rules are sorted by descending precedence. E.g., a rule about a particular employee can be inserted before the rule about the department in order to implement an exception.
This section describes the status of this document at the time of its publication. Other documents may supersede this document.
By publishing this document, W3C acknowledges that International Business Machines (IBM) has made a formal submission to W3C for discussion. Publication of this document by W3C indicates no endorsement of its content by W3C, nor that W3C has, is, or will be allocating any resources to the issues addressed by it. This document is not the product of a chartered W3C group, but is published as potential input to the W3C Process. Publication of acknowledged Member Submissions at the W3C site is one of the benefits of W3C Membership; please consult the complete list of acknowledged W3C Member Submissions.
The Enterprise Privacy Authorization Language (EPAL) is an interoperability language for exchanging privacy policy in a structured format between applications or enterprises. This document formally describes EPAL, including concepts, syntax, and semantics. To help readers understand the structure and capabilities of the language, it is presented in several forms. First, a brief overview of the language is given in Section 2 in textual form, explaining the major structures of the language and how they fit together. Secondly, the detailed syntax of the language will be specified in Sections 3 and 4 by parts of the EPAL schema along with some examples of EPAL. Thirdly, the semantics of an EPAL policy is described in Section 5. Data-types that are re-used in multiple places are defined in Section 6. The formal definition of the EPAL syntax is given by the XML Schema for EPAL as an appendix.
The EPAL Working Group exists to develop a interoperability language for the representation of data handling policies and practices within and between privacy-enabled enterprise tools, which serve to
The goals for the EPAL language are the following.
There are certain situations for which EPAL is not intended as an appropriate language. EPAL was not designed for the following applications:
The following applications expose the design considerations raised during the development of EPAL. For EPAL to satisfy the demands of each use case, particular requirements must be inferred. These case-specific requirements and the accompanying assumptions are listed below.
A privacy administrator, who has a legal background and no programming experience, creates EPAL rules to model her firm's privacy policy. This EPAL policy serves as input to a variety of privacy management, audit, and enforcement software tools.
Implications on EPAL requirements:
To allow privacy software from different companies to work together, EPAL should be used as a common format to exchange a privacy policy. For example, a privacy creation tool from one company may create an EPAL policy, and a privacy enforcement tool from another company may read-in the EPAL policy and then enforce it.
Implication on EPAL requirements:
A company has implemented an privacy enforcement system in their software package. The privacy enforcement system must enforce the given set of EPAL rules and the obligations that are defined by the policy.
Implications on EPAL requirements:
An independent auditor uses EPAL to model a client's privacy policy and to perform a privacy audit. The client's goal is to have demonstrated compliance with privacy legislation and recommended industry-specific practices. Two options exist for performing a privacy audit. One method is to generate rulings against the EPAL-modeled privacy policy from run-time requests. These rulings are logged and subsequently analyzed for requests which violated the privacy policy. There is no interference with requests during an audit. An alternative method is completely separate from the client's run-time system. The auditor also models the requests. Compliance with the EPAL-modeled privacy policy is measured against simulated requests.
Implications on EPAL requirements:
Requirements describe the necessary expressiveness of EPAL, enable and/or facilitate deployment, and guide the design of the structure of the language.
EPAL must be expressive and flexible to capture evolving privacy legislation and customized privacy policy in a useful, computer-readable format. The following requirements aim to fulfill these goals.
EPAL is not designed for any specific target environments or existing software privacy tools. Nevertheless, certain requirements must be satisfied to deploy EPAL.
Since EPAL is intended to be an interoperability language, the syntax must satisfy the following requirements.
An EPAL privacy policy and an engine that evaluates it is not sufficient for privacy enforcement. To be deployment independent, EPAL defines an abstract authorization interface that outputs a decision and obligations on input of purpose-identifiers, action-identifiers, user-category-identifiers, data-category-identifiers, and context data. Implicitly, these authorization inputs pose a list of requirements on the environment of the EPAL engine
EPAL aims at formalizing enterprise-internal privacy policies. This requires a fine-grained vocabulary that formalizes the privacy relevant aspects of an enterprise. It also includes a fine-grained hierarchy of purposes for which the enterprise collects data. The W3C Platform for Privacy Preferences aims at formalizing privacy statements that are published by an enterprise. The goal is to define a machine-readable equivalent for the human readable privacy promises that are published as a "privacy statement" on a web-pages. Unlike EPAL, P3P defines a global terminology that can be used to describe the privacy promises for any enterprise.
The normative syntax is given by the XML schema in the appendix. Fragments of this XML Schema are used to define the XML data structures of EPAL inside the specification.
<!-- All schema fragments are shown in a box like this. --> |
Examples illustrate the XML data structures of EPAL as XML code.
<!-- All examples are shown in a box like this. --> |
In general, a fixed space font is used to represent excerpts of an EPAL file within the text of this document. Angled brackets <> enclose XML elements. Double quotes "" enclose XML types. Single quotes delimit strings.
We would like to thank Malcolm Crompton for valuable input. In addition, we thank the many reviewers within IBM that gave valuable input. In particular we would like to thank Michael Backes, Kathy Bohrer, Marlena Erdos, Michiharu Kudoh, Birgit Pfitzmann, Martin Presler-Marshall, and Michael Waidner.
This section briefly describes EPAL and its capabilities. An EPAL policy categorizes the data an enterprise holds and the rules which govern the usage of data of each category. Since EPAL is designed to capture privacy policies in many areas of responsibility, the language cannot predefine the elements of a privacy policy. Therefore, EPAL provides a mechanism for defining the elements which are used to build the policy.
An EPAL policy is essentially a list of privacy rules that are ordered with descending precedence (i.e., if a rule applies, subsequent rules are ignored). A rule is a statement that includes a ruling, a user category, an action, a data category, and a purpose. A rule may also contain conditions and obligations. For example, an enterprise may have the following rule in its privacy policy.
Privacy Policy (informal): | Allow a sales agent or a sales supervisor to collect a customer's data for order entry if the customer is older than 13 years of age and the customer has been notified of the privacy policy. Delete the data 3 years from now. |
EPAL Privacy Rule: | |
ruling | allow |
user category | sales department |
action | store |
data category | customer-record |
purpose | order-processing |
condition | the customer is older than 13 years of age |
obligation | delete the data 3 years from now |
Rules are used to determine if a request is allowed or denied. A request contains a user category, an action, a data category, and a purpose. Continuing with the same enterprise as above, consider the following request.
request (informal) | A person acting as a sales agent and an employee requests to collect a customer's email for order entry. |
user category | sales department |
action | store |
data category | customer-record |
purpose | order-processing |
The above rule allows the request, so the sales agent would be permitted to store the customer's contact information. Additional rules can then govern how this stored data may be used.
As in introduction to EPAL, let us consider one common scenario that makes use of EPAL.
A company BestShoesRUs sells shoes to consumers:
BestShoesRUs has always been concerned with its customers privacy. However, as the business has expanded it has found it more difficult to present and enforce a consistent policy across the business. Customers have started to complain that they are getting unwanted marketing material, and some customers have challenged that BestShoesRUs has revealed their private data to third parties.
To facilitate better privacy practices BestShoesRUs has decided to create an enterprise wide policy using EPAL. The goal of the policy is to define a set of common rules for the handling of PII (Personal Identifiable Information) data that is collected from consumers. This way no matter how the data is collected (store, mail, phone, Internet, North America and Asia) that data is treated in a consistent manner.
To begin the process the CPO and her staff need to define an EPAL policy. The CPO obtains legal advice to obtain requirements for the policy based on legislation and industry regulation. The CPO also contracts some consultants specializing in privacy to get some guidelines around industry accepted practices for handing PII data. Using these two inputs, and also tailoring it for the business requirements of BestShoesRUs the CPO and her staff defines the policy. This policy will be the basis for all of the handling of the PII data across the whole business.
Once this policy is defined the IT staff need to ensure it is enforced. There are a number of aspects to this:
The EPAL policy will be expected to change over time because of new regulations, industry practices and business requirements. New versions of the policy will need to be created.
BestShoesRUs will need to acquire software tools for creation of policy, notice, consents and enforcement. These tools may be acquired from different software vendors. The EPAL policy will be used as the medium for exchanging policy across the tools.
The following picture shows a non-normative UML (the Unified Modeling Language) overview over the elements of an EPAL policy. Sub-elements are depicted as aggregation by value while references using id/refid pairs are depicted as ordinary relations. The element <epal-vocabulary> and <epal-policy> are the two top-level elements of EPAL.
Figure: Non-normative High-level UML Overview
of an EPAL policy
EPAL is well-formed XML, conforming to XML 1.0. In addition to well-formedness, EPAL must be validated by the XML Schema for EPAL. The Schema formally defines the EPAL elements. The cardinality, the type, and the (required or optional) use of each element is stated. Any sequencing restrictions of sub-elements are stated. The type, the (required or optional) use, the permitted values, and any default values for each attribute are stated. Some attributes have values which must be unique IDs. An ID must be unique throughout the EPAL policy.
Section 3 and 4 describe the contents of the XML Schema for EPAL. The EPAL namespace URI is "http://www.research.ibm.com/privacy/epal".
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example:
Prefix | Namespace URI | Notes |
---|---|---|
epal | http://www.research.ibm.com/privacy/epal | The EPAL namespace defined in this specification |
xs | http://www.w3.org/2001/XMLSchema | The W3C XML Schema namespace |
xsi | http://www.w3.org/2001/XMLSchema-instance | The W3C XML Schema namespace for instances |
This section describes the syntax of EPAL vocabularies that define the language to express sector-specific privacy policies. Enterprises usually use a single vocabulary. For exchanging policy data with other enterprises, both enterprises can agree on and share a subset of this vocabulary.
Syntax: The <epal-vocabulary> element defines all elements that will later be referenced in rules. The <epal-vocabulary> element contains the following sub-elements in this fixed order:
The required attribute "version" defines the version of EPAL that has been used.
Semantics: The <epal-vocabulary> element lists all terms that must be known by the system interpreting this vocabulary. In addition, it defines what data may be needed for evaluating the conditions contained in this vocabulary.
Design Note: Separating vocabularies from the actual rules serves the following purposes:
The disadvantage is that for interoperability, one needs to agree on a common vocabulary in order to be able to exchange policies.
Schema Fragment
<xs:element name="epal-vocabulary"> <xs:complexType> <xs:sequence> <xs:element name="vocabulary-information" minOccurs="1" maxOccurs="1" type="epal:infoType"></xs:element> <xs:element name="user-category" minOccurs="0" maxOccurs="unbounded">... </xs:element> <xs:element name="data-category" minOccurs="0" maxOccurs="unbounded" type="epal:hierarchicalType"></xs:element> <xs:element name="purpose" type="epal:hierarchicalType" minOccurs="0" maxOccurs="unbounded"></xs:element> <xs:element name="action" type="epal:describedObjectType" maxOccurs="unbounded"></xs:element> <xs:element name="container" minOccurs="0" maxOccurs="unbounded">...</xs:element> <xs:element name="obligation" minOccurs="0" maxOccurs="unbounded">...</xs:element> </xs:sequence> <xs:attribute name="version" type="xs:string" default="1.2"/> </xs:complexType> </xs:element> |
Example: Structure of a <epal-vocabulary> element and its sub-elements
<epal-vocabulary version="1.2" xmlns="http://www.research.ibm.com/privacy/epal" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.research.ibm.com/privacy/epal epal.xsd http://www.w3.org/2001/XMLSchema xs-dummy.xsd "> <vocabulary-information id="NCName"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> <issuer> <name>name</name> <organization>organization</organization> <e-mail>e-mail</e-mail> <address>address</address> <country>country</country> </issuer> <location>http://www.ibm.com</location> <version-info end-date="2001-12-31T12:00:00" last-modified="2001-12-31T12:00:00" revision-number="" start-date="2001-12-31T12:00:00" test="false"/> </vocabulary-information> <user-category id="NCName" parent="NCName"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> <property id="NCName"> <value>value</value> </property> </user-category> <data-category id="NCName" parent="NCName"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> </data-category> <purpose id="NCName" parent="NCName"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> </purpose> <action id="NCName"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> </action> <container id="NCName"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> <attribute auditable="true" id="NCName" maxOccurs="1" minOccurs="1" simpleType="http://www.w3.org/2001/XMLSchema#string"> </attribute> </container> <obligation id="NCName"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> <parameter id="NCName" maxOccurs="1" minOccurs="1" simpleType="http://www.w3.org/2001/XMLSchema#string"> </parameter> </obligation> </epal-vocabulary> |
The <vocabulary-information> of type "infoType" contains information about the vocabulary in the form of three sub-elements. The "id" attribute defines the Name that identifies the vocabulary. The <issuer> describes the issuer, the <version-info> the version and other management information. The "id" attribute of vocabulary-information together with the "revision-number" attribute must uniquely identify a vocabulary for each issuer.
Example: Vocabulary Information inside an EPAL vocabulary
<vocabulary-information id="sample-policy"> <short-description language="en">Example policy information</short-description> <long-description language="en">long-description</long-description> <!-- Entity issuing the policy --> <issuer> <name>EPAL Working Group</name> <organization>IBM Research</organization> <e-mail>testmail@zurich.ibm.com</e-mail> <address>Saumerstr. 4, 8838 Ruschlikon</address> <country>Switzerland</country> </issuer> <!-- Policy version. This is so the enterprise can track versions of its policy. --> <version-info start-date="2002-03-19T00:00:00" test="true" last-modified="2002-03-19T00:00:00" revision-number="1.02A" end-date="2004-03-19T00:00:00"/> </vocabulary-information> |
User categories represent a category of individuals that can access data. Examples include single employees, particular roles, employee groups, other enterprises that may receive data, or the data subject itself (i.e., the owner who's data is collected).
Syntax: Each <user-category> element defines a user-category that can be referenced in a rule. The user-category element is of type "hierarchicalType", i.e., it inherits the mandatory attribute "id", the optional attribute "parent", and elements <short-description>, <long-description>, and <property>
Semantics: The list of <user-category> elements
defines the entities accessing the data. A <user-category>
describes an entity accessing some data and can reference its parent.
This includes individuals, groups of individuals, enterprises,
organizations, or software agents. user categories are structured in a
list of hierarchies. The elements are ordered in hierarchies by a
"parent" attribute that contains the value of the
"id" of its parent <user-category>.
For all hierarchical elements (user-category, purpose, data-category),
the graph that is built by using elements as nodes and drawing edges
from child to parent must be one or more trees, i.e., there must not be
any cycles. The meaning of the hierarchy is a grouping, i.e., the parent
groups all its children. An access to a parent is allowed only if access
to all child categories is allowed.
Design Notes:
Schema Fragment
<xs:element name="user-category" minOccurs="0" maxOccurs="unbounded" type="epal:hierarchicalType"> </xs:element> |
The data categories used in privacy policies are often high-level classifications of data, such as customer contact information, medical record, or statistics. These categories are used to distinguish classifications of collected data that need to be treated differently from a privacy point of view. Organizing the data categories into a hierarchy improves the expressiveness of rules. For example, a rule that mentions a high-level data category applies to all parts. This reduces the number of rules in an EPAL policy.
Syntax: Each <data-category> element defines a
data-category that can be referenced in a rule. The data-category
element is of type "hierarchicalType",
i.e., it inherits the mandatory attribute "id", the optional
attribute "parent", and elements <short-description>,
<long-description>, and <property>.
Semantics: A <data-category> represents some data
of a given data classification. The elements are ordered in one or more
hierarchies by a "parent" attribute that contains the value of
the "id" attribute of its parent <data-category>.
For all hierarchical elements (user-category, purpose, data-category),
the graph that is built by using elements as nodes and drawing edges
from child to parent must be one or more trees, i.e., there must not be
any cycles. The meaning of the hierarchy is a grouping, i.e., the parent
groups all its children. An access to a parent is allowed only if access
to all child categories is allowed.
Design Notes:
Schema Fragment:
<xs:element name="data-category" minOccurs="0" maxOccurs="unbounded" type="epal:hierarchicalType"> </xs:element> |
Purpose is an important concept in privacy. Information is often disclosed only for particular purposes. Privacy policies must state the purposes for which data is used or is going to be used. The purposes mentioned in privacy policies are often high-level, such as marketing. More specific rules may deal with more specific purposes that fall under the domain of a high-level purpose, such as direct marketing by a third party via e-mail. Organizing the purposes into a hierarchy improves the expressiveness of rules and allows for compact policies.
Syntax: Each <purpose> element defines one purpose that can be referenced in rule definitions. Each <purpose> element is of type "hierarchicalType", i.e., it inherits the mandatory attribute "id", the optional attribute "parent", and elements <short-description>, <long-description>, and <property> .
Semantics: A <purpose> represents the purpose
for which a rule authorizes or denies access. The elements are ordered
in one or more hierarchy by a "parent" attribute that contains
the value of the "id" attribute of its prospective parent.
For all hierarchical elements (user-category, purpose, data-category),
the graph that is built by using elements as nodes and drawing edges
from child to parent must be one or more trees, i.e., there must not be
any cycles. The meaning of the hierarchy is a grouping, i.e., the parent
groups all its children. An access to a parent is allowed only if access
to all child categories is allowed.
Design Notes:
Schema Fragment
<xs:element name="purpose" type="epal:hierarchicalType" minOccurs="0" maxOccurs="unbounded"> </xs:element> |
An enterprise performs certain actions on its data resources. A privacy policy specifies which actions are allowed and which are denied under particular circumstances.
Syntax: Each <action> element defines one privacy-relevant action that can be referenced in rule definitions. Each <action> element is of type "describedObjectType", i.e., it inherits the mandatory attribute "id", and elements <short-description>, <long-description>, and<property> .
Semantics: An <action> represents the action that is authorized. <action> elements are not structured in a hierarchy.
Design Notes:
Schema Fragment
<xs:element name="action" type="epal:describedObjectType" minOccurs="0" maxOccurs="unbounded"> </xs:element> |
Privacy authorization can depend on conditions based upon the context of the request. For example, some data may be used for marketing only if the person is not a minor or a parent has given consent. Each element <container> defines a data structure that contains context data that can be evaluated by conditions. Each container defines a list of context attributes (variables such as 'age', 'name', 'consentToMarketing', 'timeOfDay', ...) that can later be evaluated by conditions. Each <condition> element in EPAL policies then implements a condition that evaluates such context attributes. For efficiency reasons, each condition can specify a subset of the containers that are actually needed to evaluate this condition. Based on the actual instances of the attributes in these containers, the condition then returns 'true' or 'false'.
Syntax: Each <container> element extends the type "describedObjectType", i.e., it inherits the mandatory attribute "id", and elements <short-description>, <long-description>, and <property>. This type is extended by adding a list of one or more <attribute> elements of type "containerAttributeDefinitionType". Each of these elements specifies the syntax of an attribute that is contained in the container by means of attributes "simpleType", "minOccurs", "maxOccurs", and "auditable". The Boolean "auditable" indicates whether this attribute was collected in an auditable way.
Semantics: A <container> element defines the data structure of a container. A container is a set of attributes. An attribute is multi-valued, i.e., an attribute is a bag of values (as specified by the minOccurs and maxOccurs attributes). The values in a bag are not ordered, and some of the values may be duplicates.
Note that container instances are used to evaluate conditions. We require that all the container instances that are needed for condition evaluation are available at the time of authorization, i.e., if a rule is applicable but the container instance needed to evaluate the condition is missing, this is defined to be an error. The EPAL authorization engine requires that each attribute value validates against the attribute specification of the corresponding container.
Design Notes:
Schema Fragment
<xs:element name="container" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="attribute" type="epal:containerAttributeDefinitionType" minOccurs="1" maxOccurs="unbounded"> </xs:element>< /xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Declared attribute id's must be unique within each container --> <xs:unique name="uniqueAttribute"> <xs:selector xpath="attribute"/> <xs:field xpath="@id"/> </xs:unique> </xs:element> |
<container id="DataUserInfo"> <short-description>Information about the user category</short-description> <long-description>More Infos.</long-description> <attribute id="DataUserID" maxOccurs="1" minOccurs="1" simpleType="http://www.w3.org/2001/XMLSchema#string"> <short-description> The ID of the user category accessing the data.</short-description> </attribute> <attribute id="WorkingOnStations" maxOccurs="unbounded" minOccurs="1" simpleType="http://www.w3.org/2001/XMLSchema#string"> <short-description>A multi-valued attribute describing the stations on which the nurse is allowed to work.</short-description> </attribute> </container> <container id="PatientRecord"> <short-description>The record of the patient who's data is accessed.</short-description> <attribute id="Station" maxOccurs="unbounded" minOccurs="1" simpleType="http://www.w3.org/2001/XMLSchema#string"> <short-description>A multi-valued attribute describing the stations on which the patient resides.</short-description> </attribute> <attribute id="PrimaryCarePhysicianID" maxOccurs="unbounded" minOccurs="1" simpleType="http://www.w3.org/2001/XMLSchema#string"> <short-description>A multi-value input defining the IDs of all primary care physicians of this patient.</short-description> </attribute> </container> |
Legislation and privacy policies may state that when a certain action is performed, the enterprise is obligated to take some additional steps. An example is that all accesses against a certain type of data for a given purpose must be logged. Or children's data shall be deleted within 30 days unless parent consent is obtained. In EPAL such consequential actions are called obligations. EPAL is not designed to encode the logic of an obligation. The system which evaluates a request against an EPAL policy must be capable of executing all obligations given the unique name of the obligation.
Syntax: Each <obligation> element defines one obligation that can be referenced in rule definitions. <obligation> elements are not structured in a hierarchy. The <obligation> elements extend the type "describedObjectType", i.e., it inherits the mandatory attribute "id", and elements <short-description>, <long-description>, <property> . This type is extended by a list of <parameter> elements of type "attributeDefinitionType" that specify parameter values to be specified inside the rules.
Semantics: An obligation is opaque and is returned after the rule is processed. An obligation inside a rule can contain values for its parameters to be returned together with the obligation identifier. An obligation parameter is multi-valued, i.e., an obligation parameter is a bag of values. The values in a bag are not ordered, and some of the values may be duplicates. These parameter values are of types as specified by the parameter definition. An obligation shall be returned if the rule was applied (i.e., either no condition was attached or the attached condition was satisfied). This holds for "allow" as well as "deny"-rules.
Design Notes:
Schema Fragment
<xs:element name="obligation" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence minOccurs="1" maxOccurs="unbounded"> <xs:element name="parameter" type="epal:attributeDefinitionType" minOccurs="0" maxOccurs="unbounded"> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Declared parameter id's must be unique within each obligation --> <xs:unique name="uniqueParam"> <xs:selector xpath="parameter"/> <xs:field xpath="@id"/> </xs:unique> </xs:element> |
Example: An Obligation
<obligation id="retention"> <short-description>A test obligation</short-description> <long-description>long-description</long-description> <property id="Name"> <value>property</value> </property> <parameter id="days" simpleType="http://www.w3.org/2001/XMLSchema#integer" minOccurs="1" maxOccurs="1"/> </obligation> |
This section describes the syntax of an EPAL policy that defines privacy rules based on a given <epal-vocabulary> . While the <epal-vocabulary> defines the language to express sector-specific privacy policies, the policy defines rules that formalize what is allowed and what is denied.
Syntax: The <epal-policy> element defines the actual privacy rules based on a given vocabulary. The <epal-policy> element contains the following sub-elements in this fixed order:
The <epal-policy> element has an optional attribute "global-condition" that defines a global pre-condition for this policy, a required attribute "version" that defines the EPAL version, and a required attribute "default-ruling" that defines the default ruling of this policy. Default-rulings are 'allow', 'deny', or 'not-applicable'.
Semantics: The default ruling specifies the ruling that is literally returned if no rule is applicable. The ruling 'allow' indicates that the action is allowed if none of the rules was applicable, 'deny' indicates that the action is denied, and 'not-applicable' indicates that this policy does not care even though the request used elements that were defined in the vocabulary used. The global condition refers to a condition-ID. If this condition is false, the default ruling is returned.
Design Notes:
Schema Fragment
<xs:element name="epal-policy"> <xs:complexType> <xs:sequence> <xs:element name="policy-information" minOccurs="1" maxOccurs="1" type="epal:infoType"></xs:element> <xs:element name="epal-vocabulary-ref" minOccurs="1" maxOccurs="1" type="epal:importStatementType"/> <xs:element name="condition" minOccurs="0" maxOccurs="unbounded">...</xs:element> <xs:element name="rule" minOccurs="0" maxOccurs="unbounded">...</xs:element> </xs:sequence> <xs:attribute name="version" type="xs:string" default="1.2"/> <xs:attribute name="global-condition" type="xs:NCName" use="optional"/> <xs:attribute name="default-ruling" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="allow"/> <xs:enumeration value="deny"/> <xs:enumeration value="not-applicable"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> |
Example: An <epal-policy>
<epal-policy default-ruling="allow" global-condition="NCName" version="1.2" xmlns="http://www.research.ibm.com/privacy/epal" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.research.ibm.com/privacy/epal epal.xsd http://www.w3.org/2001/XMLSchema xs-dummy.xsd "> <policy-information id="NCName"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> <property id="NCName"> <value>value</value> </property> <issuer> <name>name</name> <organization>organization</organization> <e-mail>e-mail</e-mail> <address>address</address> <country>country</country> </issuer> <location>http://www.ibm.com</location> <version-info end-date="2001-12-31T12:00:00" last-modified="2001-12-31T12:00:00" revision-number="" start-date="2001-12-31T12:00:00" test="false"/> </policy-information> <epal-vocabulary-ref id="NCName" location="http://www.ibm.com" revision-number="NCName"/> <condition id="NCName">...</condition> <rule id="NCName" ruling="allow"> <short-description language="en">short-description</short-description> <long-description language="en">long-description</long-description> <property id="NCName"> <value>value</value> </property> <user-category refid="NCName"/> <data-category refid="NCName"/> <purpose refid="NCName"/> <action refid="NCName"/> <condition refid="NCName"/> <obligation refid="NCName"> <parameter refid="NCName"> <value>value</value> </parameter> </obligation> </rule> </epal-policy> |
The <policy-information> of type "infoType" contains information about the policy in the form of three sub-elements. The "id" attribute defines the id of the policy. The <issuer> describes the issuer, the <version-info> the version and other management information. The "id" attribute of policy-information together with the "revision-number" attribute must uniquely identify a policy for each issuer.
Example: Policy Information inside an EPAL policy
<policy-information id="sample-policy"> <short-description language="en">Example policy information</short-description> <long-description language="en">long-description</long-description> <!-- Entity issuing the policy --> <issuer> <name>EPAL Working Group</name> <organization>IBM Research</organization> <e-mail>testid@zurich.ibm.com</e-mail> <address>Saumerstr. 4, 8838 Ruschlikon</address> <country>Switzerland</country> </issuer> <!-- Policy version. This is so the enterprise can track versions of its policy. --> <version-info start-date="2002-03-19T00:00:00" test="true" last-modified="2002-03-19T00:00:00" revision-number="1.02A" end-date="2004-03-19T00:00:00"/> </policy-information> |
Syntax: The <epal-vocabulary-ref> element identifies the vocabulary to be used for the rules and conditions of this policy. It inherits the following attributes from "importStatementType".
Semantics: The <epal-vocabulary-ref> element points to the vocabulary that will be read by an EPAL engine. If the "id" or "revision-number" of the vocabulary at the given "location" are not identical to the ones in the <epal-vocabulary-ref> element, the policy is defined to be invalid and an evaluation always returns 'error'.
Legislation and privacy policies make statements based on conditions. Rules must enforce these statements while accounting for the associated conditions. It is assumed that a condition can be evaluated to a boolean value.
Syntax: The <condition> element inherits the mandatory attribute "id", and the elements <short-description>, <long-description>, and <property> from the "describedObjectType". It extends this type by adding exactly one additional element <predicate> of type "functionType", which specifies a particular boolean condition. A <predicate> element consists of a sequence of <attribute-value>, <attribute-bag>, <attribute-reference>, <function>, and <predicate> elements.
A <predicate> represents a boolean function, i.e., a function that returns a boolean value. A <function> represents a non-boolean function. Both are elements of type "functionType". The mandatory "refid" attribute specifies the URI of a particular predicate or function. The syntax and semantics of each predicate or function are listed in Appendix 5. The child elements are viewed as a sequence of arguments, i.e., a combination of <predicate>, <function>, <attribute-value>, <attribute-bag>, <attribute-reference>, and <condition-reference> elements represents a sequence of arguments.
An <attribute-value> element represents an attribute value, i.e., an instance of a particular data type. The data type is specified by the mandatory "simpleType" attribute, and the value is specified as the content of the element.
An <attribute-bag> element represents a bag of attribute values. The values in a bag are not ordered, and some of the values may be duplicates. The data type is specified by the mandatory attribute "simpleType", and the values are specified as zero or more <value> elements.
An <attribute-reference> element represents a reference to a particular container attribute. The container attribute is identified by the pair of the mandatory attributes "container-refid" and "attribute-refid".
A <condition-reference> element represents a reference to another condition specified by the mandatory attribute "refid". For each <condition> element, the reference paths that are built recursively by the <condition-reference> elements under it must not have any cycles.
Semantics: Each <condition> represents one condition. Only if all the conditions in a rule are satisfied, the rule can be applied. Otherwise, it is ignored. To evaluate a <condition> given container instances, we need to evaluate the specified <predicate> element.
Both predicates and functions are evaluated in the same way. The only difference is that predicates return a boolean value but functions return a non-boolean value. It is evaluated according to the semantics of the predicate or function specified by the "refid" attribute. The semantics of all the predicates or functions defined in this specification are listed in Appendix 5. They are described assuming the arguments are given as a sequence of <attribute-value> and <attribute-bag> elements. An <attribute-value> represents an attribute value that is an instance of a particular data type, and an <attribute-bag> element represents a bag of attribute values. Both can be viewed as constant values. Therefore, when the arguments of a predicate or a function include <attribute-value> and <attribute-bag> elements only, the evaluation is straightforward.
When the arguments of a predicate or a function include <attribute-reference>, <condition-reference>, <function>, and <predicate> elements, they need to be evaluated to <attribute-bag> or <attribute-value> elements as follows:
Note that the evaluation of a predicate and a function is recursive because they can take predicates and functions as the arguments.
Design Notes:
Schema Fragment
<xs:element name="condition" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence> <xs:element name="predicate" type="epal:functionType" minOccurs="1" maxOccurs="1"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> |
Example: Conditions Evaluating the Example Containers in Section 3.7
For example, assume that we have a container named "DataUserInfo" and a string-type attribute named "DataUserID" (See Section 3.7 for the definition). Then the condition that the "DataUserID" attribute value must be equal to "John Doe" is implemented as follows:
<condition id="condition1"> <predicate refid="http://www.research.ibm.com/privacy/epal#string-equal"> <function refid="http://www.research.ibm.com/privacy/epal#string-bag-to-value"> <attribute-reference container-refid="DataUserInfo" attribute-refid="DataUserID"/> </function> <attribute-value simpleType="http://www.w3.org/2001/XMLSchema#string">John Doe</attribute-value> </predicate> </condition> |
In this example, the <attribute-reference> element is used to reference the bag of the "DataUserID" attribute value in the "DataUserInfo" container, and then the "string-bag-to-value" function is used to convert the bag into an attribute value so that we can use the "string-equal" function to compare the two string values.
Here is another example, where the condition requires that the "DataUserID" attribute value is equal to one of "John Doe", "John Doe2", and "John Doe3".
<condition id="condition2"> <predicate refid="http://www.research.ibm.com/privacy/epal#string-is-in"> <function refid="http://www.research.ibm.com/privacy/epal#string-bag-to-value"> <attribute-reference container-refid="DataUserInfo" attribute-refid="DataUserID"/> </function> <attribute-bag simpleType="http://www.w3.org/2001/XMLSchema#string"> <value>John Doe</value> <value>John Doe2</value> <value>John Doe3</value> </attribute-bag> </predicate> </condition> |
The following example compares two bags, which are specified by the two <attribute-reference> elements. In this example, the condition requires that at least one attribute value in the "WorkingOnStations" bag is equal to one of the attribute values in the "Station" bag.
<condition id="condition3"> <short-description>This condition checks whether a nurse (data user) is allowed to access patient data.</short-description> <long-description>This access is only allowed if the nurse (data user) is working on a station where the patient resides.</long-description> <predicate refid="http://www.research.ibm.com/privacy/epal#string-at-least-one-value-equal"> <attribute-reference container-refid="DataUserInfo" attribute-refid="WorkingOnStations"/> <attribute-reference container-refid="PatientRecord" attribute-refid="Station"/> </predicate> </condition> |
The following example uses two <condition-reference> elements to reference the above "condition1" and "condition3" conditions and create a new condition ("condition4"), which requires that both "condition1" and "condition3" are satisfied.
<condition id="condition4"> <predicate refid="http://www.research.ibm.com/privacy/epal#and"> <condition-reference refid="condition1"/> <condition-reference refid="condition3"/> </predicate> </condition> |
The following example uses a <condition-reference> element to reference the above "condition1" condition and create a new condition ("condition5").
<condition id="condition5"> <predicate refid="http://www.research.ibm.com/privacy/epal#and"> <condition-reference refid="condition1"/> <predicate refid="http://www.research.ibm.com/privacy/epal#string-equal"> <function refid="http://www.research.ibm.com/privacy/epal#string-bag-to-value"> <attribute-reference container-refid="PatientRecord" attribute-refid="Station"/> </function> <attribute-value simpleType="http://www.w3.org/2001/XMLSchema#string">SW4</attribute-value> </predicate> </predicate> </condition> |
A rule states that certain user-categories are allowed or denied to perform an action on data of given categories for given purposes if and only if the given conditions are satisfied, and that, consequently, particular obligations must be executed. Rules are ordered by descending precedence, i.e., if a rule applies (allows or denies a request) all subsequent rules are ignored. Each privacy rule is encoded as a <rule> element in EPAL. Rules have two types: An 'allow'-rule allows an action while 'deny-rules define that the action must not be allowed.
Syntax: The <rule> element extends the type "describedObjectType", i.e., it inherits the mandatory attribute "id", and elements <short-description>, <long-description>, <property> . The "describedObjectType" is extended by the required attribute "ruling" with values 'allow', or 'deny' as well as the following sub-elements in this fixed order:
Design Notes:
Schema Fragment
<xs:element name="rule" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence> <xs:element name="user-category" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <xs:element name="data-category" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <xs:element name="purpose" type="epal:referringObjectType" minOccurs="0" maxOccurs="unbounded"></xs:element> <xs:element name="action" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <xs:element name="condition" type="epal:referringObjectType" minOccurs="0" maxOccurs="unbounded"></xs:element> <xs:element name="obligation" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:referringObjectType"> <xs:sequence minOccurs="0" maxOccurs="1"> <xs:element name="parameter" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:sequence> <xs:element name="value" type="epal:epalSimpleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="refid" use="required" type="xs:NCName"></xs:attribute> </xs:complexType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> </xs:sequence> <xs:attribute name="ruling"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="allow"/> <xs:enumeration value="deny"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> |
We now describe the precise meaning of an EPAL policy. This is done by a semantics. The goal is to define for any EPAL policy and any elements (data-category, user-category, action, purpose) whether the given user-category is allowed to perform the given action for the given purpose on the given data category. In order to evaluate the conditions, this requires the container attribute data to be input.
If all elements in the request are leafs of the hierarchy (e.g., a single purpose), the intuition is straightforward: If the algorithm outputs 'allow', the given user-category is allowed to perform the given action for the given purpose on the given data category. If non-leaf elements are used in the query, the semantics is based on a grouping (logical and). A access request on non-leaf elements is allowed only if access for these elements as well as their children are allowed. E.g., a user-category 'department' can only use data if all its sub-user-category (e.g., sales department and human resources department) can use the data. Similarity, a purpose 'marketing' is only allowed if all its sub-purposes are allowed. The rationale is to, e.g., allow access to a complete record if and only if all parts of this record can be accessed.
Note that we do not mandate any particular implementation or interface to the algorithm. We give an example interface that uses XML inputs and outputs as an appendix.
A simple authorization request contains
The tuple (U, T, P, A) is called the authorization-quadruple. The intuition behind a request is "Is the given user-category (and all its children) allowed to perform the given action on the given data-category (and all its children) for the given purpose (and all its children). If yes, what obligations apply?". A consequence of this intuition is that a request to access, e.g., an action on a data-category 'customer record' is only allowed if it is allowed on all its parts.
The algorithm outputs
The algorithm determines the ruling by processing each rule with descending precedence. Before starting, it checks that the global-condition is satisfied. If not, the default-ruling is returned.
For each rule, the algorithm checks:
If these conditions are satisfied, the algorithm acts on the rule. If all rules have been processed (but no 'allow' or 'deny' satisfied these two conditions), the algorithm returns the default-ruling. We now describe the two conditions in more detail:
Scope Check: The scope checks are based on the hierarchies
defined in the used <epal-vocabulary>.
A request is in the scope of a rule where the "ruling"
attribute is "allow" iff
A request is in the scope of a rule where the "ruling" attribute is "deny" iff
If the request is not in the scope of the rule, the next rule is processed. Else, the algorithm continues processing this rule:
Checking the Conditions: If the rule has no conditions, the algorithm continues by acting on this rule. If the rule has one or more conditions, the conditions are evaluated as described in Section 4.4. If any of the conditions is not satisfied, the algorithm continues by processing the next rule. Else, it acts on this rule.
Acting on a rule: If the ruling is "allow" or "deny", the ruling, the rule-id of the rule, and the obligations of this rule are returned.
Design Notes:
The intuitive question that corresponds to this request is "I belong to multiple user categories. Is there any of my user categories that allows me to perform all actions for all purposes on all data categories?". For a given user-category that is allowed or denied to perform the action, the resulting obligations are collected from all applicable rules and then returned.
We will solve this problem in two parts: First, we show how to resolve it for one user-category. Then, we repeat this procedure for all user-categories.
A compound authorization request contains
The algorithm outputs
Processing a Single user category: We now define how to process a compound request for one user category and multiple other elements. The compound query for a particular user-category is decomposed into simple requests as follows:
After processing the simple requests for all combinations of elements in the compound request, we can determine the ruling for this user category as follows:
Processing Multiple user categories: Multiple user categories are processed in the order that they are defined inside the vocabulary of the policy:
Design Notes:
We now list some complex data types that have been used for multiple elements. These data-types define sub-elements that are common to all actual elements that implement or refine these types.
Any element of this type has a required attribute "id" of type "NCName". This attribute contains an identifier that can be used to reference the element. This type is further refined by the "describedObjectType" and used in the rules to reference the objects that are covered by a rule.
Schema Fragment
<!-- Elements which have an identifier should be of this type --> <xs:complexType name="identifiedObjectType"> <xs:attribute name="id" type="xs:NCName" use="required"> </xs:attribute> </xs:complexType> |
Any element of this type has a required attribute "refid" of type "NCName". This attribute contains an identifier that references another element that contains the same value in its "id" attribute. E.g., a user-category inside a rule contains a refid field that references the id attribute of a user-category inside the referenced vocabulary.
Schema Fragment
<!-- Elements which refer to an identifier should be of this type --> <xs:complexType name="referringObjectType"> <xs:attribute name="refid" type="xs:NCName" use="required"> </xs:attribute> </xs:complexType> |
The "describedObjectType" extends the "identifiedObjectType". Elements
of this type contain a sequence of zero or more elements <short-description>
of type "string" that is extended by an attribute 'language'
of simple type "language", zero or more elements <long-description>
of type "string" that is extended by an attribute 'language'
of simple type "language", and zero or more elements <property>.
Each <property> element contains <value>
elements with contents of type "epalSimpleType".
We require that for any 'language', there must be at most one <long-description>
and one <short-description> element.
Property elements can be used to extend the EPAL policy language or to
store any external information that is needed by particular
implementations. Examples of properties include implementation hints, or
expressions describing the element in more detail. The "id"
can be used by implementers to retrieve properties that relate to their
particular implementation. In general, the content of the properties is
not standardized. However, standardizing properties can enable a later
extension of EPAL without changing the core standard. This type is
further refined by the "hierarchicalObjectType" and is used in
the EPAL vocabularies to define and describe non-hierarchical elements
of an EPAL policy.
Schema Fragment
<!-- Identified Elements which have descriptions should be of this type --> <xs:complexType name="describedObjectType"> <xs:complexContent> <xs:extension base="epal:identifiedObjectType"> <xs:sequence> <xs:element name="short-description" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="language" use="optional" default="en" type="xs:language"></xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="long-description" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="language" use="optional" default="en" type="xs:language"></xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="property" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:sequence> <xs:element name="value" type="epal:epalSimpleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="id" use="required" type="xs:NCName"></xs:attribute> </xs:complexType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> |
The "hierarchicalType" extends the "describedObjectType" by adding an
optional "parent" attribute with type "NCName". The
parent attribute points to a unique "id" attribute of another
element.
This type is used in EPAL vocabularies to define hierarchical elements
(such as purpose, or user-category) to define and describe the elements
of an EPAL policy while structuring them into a hierarchy.
Schema Fragment
<!-- Elements which can participate in a hierarchy should have this type --> <xs:complexType name="hierarchicalType"> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:attribute name="parent" type="xs:string" use="optional"> </xs:attribute> </xs:extension> </xs:complexContent> </xs:complexType> |
An element of type "contactInfoType" contains a sequence of
exactly one of each of the following required elements of type
"string": <name>, <organization>,
<e-mail>, <address>, and <country>
.
This type is used for stating the mandatory address of the issuer of a
policy and for adding an optional address to a user-category of a
policy.
Schema Fragment
<!-- Contact information --> <xs:complexType name="contactInfoType"> <xs:sequence> <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> <xs:element name="organization" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> <xs:element name="e-mail" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> <xs:element name="address" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> <xs:element name="country" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> </xs:sequence> </xs:complexType> |
An element of type "attributeDefinitionType" extends the "describedObjectType" by adding a set of attributes. The inherited attribute "id" defines the name of the defined attribute. The attribute "simpleType" defines the data type of the attribute by a URI. The allowed data type URIs are taken from the XML Schema Part 2 specification. The following is the list of the allowed data type URIs.
The attribute "minOccurs" defines the minimal number of values that need to occur in a list. The attribute "maxOccurs" defines the maximal number of values that need to occur in a list. "maxOccurs" is either of type "nonNegativeInteger" or else equal the string 'unbounded'.
Schema Fragment
<!-- A Descriptor of an attribute --> <xs:complexType name="attributeDefinitionType"> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:attribute name="simpleType" use="required" type="epal:epalSimpleTypeURI"/> <xs:attribute name="minOccurs" type="xs:nonNegativeInteger" use="optional" default="1"/> <xs:attribute name="maxOccurs" use="optional" default="1"> <xs:simpleType> <xs:union memberTypes="xs:nonNegativeInteger"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="unbounded"/> </xs:restriction> </xs:simpleType> </xs:union> </xs:simpleType> </xs:attribute> </xs:extension> </xs:complexContent> </xs:complexType> <xs:simpleType name="epalSimpleTypeURI"> <xs:restriction base="xs:anyURI"> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#string"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#boolean"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#double"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#time"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#date"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#dateTime"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#integer"/> </xs:restriction> </xs:simpleType> |
An element of type "containerAttributeDefinitionType"
extends the "attributeDefinitionType"
by adding an optional attribute "auditable".
The "auditable" attribute is Boolean and defines whether this
particular attribute must be collected in an auditable way. In practice,
this attribute will be used to distinguish consent like "yes to
direct mailings" (auditable) and enterprise-internal context
"time of day" (not required to be auditable).
Schema Fragment
<xs:complexType name="containerAttributeDefinitionType"> <xs:complexContent> <xs:extension base="epal:attributeDefinitionType"> <xs:attribute name="auditable" use="optional" type="xs:boolean" default="false"/> </xs:extension> </xs:complexContent> </xs:complexType> |
An element of type "epalSimpleType" contains values of simple types that can be tunneled through the EPAL engine. These primitive types are taken from the XML Schema Part 2 specification as described in Section 6.6.
Schema Fragment
<xs:simpleType name="epalSimpleType"> <xs:union memberTypes="xs:string xs:boolean xs:integer xs:double xs:time xs:date xs:dateTime xs:anyURI xs:hexBinary xs:base64Binary"/> </xs:simpleType> |
This type defines the information that is used to describe and identify an <epal-policy> or an <epal-vocabulary> . It contains information about the policy or vocabulary in the form of three sub-elements. This type extends the "describedObjectType" by appending the following sub-elements in the following sequence:
Schema Fragment
<xs:complexType name="infoType"> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence> <xs:element name="issuer" minOccurs="0" maxOccurs="1" type="epal:contactInfoType"></xs:element> <xs:element name="location" minOccurs="0" maxOccurs="1" type="xs:anyURI"></xs:element> <xs:element name="version-info" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:attribute name="test" type="xs:boolean" default="false" use="optional"></xs:attribute> <xs:attribute name="start-date" type="xs:dateTime" use="required"></xs:attribute> <xs:attribute name="revision-number" type="xs:string" use="required"></xs:attribute> <xs:attribute name="last-modified" type="xs:dateTime" use="required"></xs:attribute> <xs:attribute name="end-date" type="xs:dateTime" use="optional"></xs:attribute> <xs:attribute name="superseded-by-id" type="xs:NCName" use="optional"></xs:attribute> <xs:attribute name="superseded-by-revision-number" type="xs:string" use="optional"></xs:attribute> </xs:complexType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> |
This type defines the syntax for importing a file (e.g., an EPAL vocabulary file). It contains the following attributes.
In addition, it can be augmented by elements <long-description>, <short-description>, and <property> as described for the describedObjectType.
Schema Fragment
<xs:complexType name="importStatementType"> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:attribute name="location" use="required" type="xs:anyURI"></xs:attribute> <xs:attribute name="revision-number" use="optional" type="xs:NCName"></xs:attribute> </xs:extension> </xs:complexContent> </xs:complexType> |
Example: Structure of a <import> element and its sub-elements
<import id="epal-example" location="http://www.ibm.com/epal-example-1.0.xml" revision-number="1.0"> |
This type defines the syntax for specifying an EPAL function or an EPAL predicate with a sequence of arguments. The mandatory "refid" attribute specifies the URI of a particular predicate or function. The syntax and semantics of each predicate or function are listed in Appendix 5.
The child elements are viewed as a sequence of arguments, i.e., a combination of <predicate>, <function>, <attribute-value>, <attribute-bag>, <attribute-reference>, and <condition-reference> elements represents a sequence of arguments.
Schema Fragment
<xs:complexType name="functionType"> <xs:sequence> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element name="attribute-value" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:simpleContent> <xs:extension base="epal:epalSimpleType"> <xs:attribute name="simpleType" use="required" type="epal:epalSimpleTypeURI"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="attribute-bag" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:sequence> <xs:element name="value" type="epal:epalSimpleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="simpleType" use="required" type="epal:epalSimpleTypeURI"/> </xs:complexType> </xs:element> <xs:element name="attribute-reference" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:attribute name="container-refid" use="required" type="xs:NCName"/> <xs:attribute name="attribute-refid" use="required" type="xs:NCName"/> </xs:complexType> </xs:element> <xs:element name="condition-reference" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:attribute name="refid" use="required" type="xs:NCName"/> </xs:complexType> </xs:element> <xs:element name="predicate" type="epal:functionType" minOccurs="1" maxOccurs="1"/> <xs:element name="function" type="epal:functionType" minOccurs="1" maxOccurs="1"/> </xs:choice> </xs:sequence> <xs:attribute name="refid" type="xs:anyURI" use="required"/> </xs:complexType> |
Example: An EPAL predicate
<predicate refid="http://www.research.ibm.com/privacy/epal#string-equal"> <function refid="http://www.research.ibm.com/privacy/epal#string-bag-to-value"> <attribute-reference container-refid="DataUserInfo" attribute-refid="DataUserID"/> </function> <attribute-value simpleType="http://www.w3.org/2001/XMLSchema#string">John Doe</attribute-value> </predicate> |
This section specifies an example interface to authorization engines. This interface enables an authorization engine to consume XML inputs while producing XML outputs. This is particularly useful for testing purposes where authorization engines can consume batches of XML inputs while producing batches of outputs that can then be verified for conformance to the semantics.
The following sections define the syntax of an authorization request and result. The namespace URI for the syntax is "http://www.research.ibm.com/privacy/epal/interface".
The top-level element <epal-query> defines a data structure that is input to an EPAL authorization engine for performing an actual authorization.
Syntax: Each <epal-query> element contains a sequence of one or more <user-category> elements, one or more <data-category> elements, one or more <purpose> elements, and one or more <action> elements. All these elements are of type "referringObjectType". In addition, it contains a list of <container> elements. Each <container> element contains an attribute "refid" that identifies the container of the policy that is instantiated. In addition, it contains one or more "attribute" elements that contain the actual attribute values to be used to evaluate the conditions.
Semantics: Each <epal-query> element corresponds to one authorization query. Each "container" element is an instance of the corresponding "container" of the policy. The contained data will be used to evaluate conditions.
Design Notes:
<xs:element name="epal-query"> <xs:complexType> <xs:sequence> <!-- The user category accessing the data--> <xs:element name="user-category" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <!-- The category of the accessed data --> <xs:element name="data-category" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <!-- The stated purpose of the access --> <xs:element name="purpose" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <!-- The stated operation of the access --> <xs:element name="action" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <!-- The list of XML container instances each corresponding to a container definition. --> <xs:element name="container" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:sequence> <xs:element name="attribute" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:sequence> <xs:element name="value" type="epal:epalSimpleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="refid" use="required" type="xs:NCName"></xs:attribute> </xs:complexType> </xs:element> </xs:sequence> <xs:attribute name="refid" type="xs:NCName"/> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> |
Example: An EPAL Authorization Query
<?xml version="1.0"?> <epal-query xmlns="http://www.research.ibm.com/privacy/epal/interface" xmlns:epal="http://www.research.ibm.com/privacy/epal" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.research.ibm.com/privacy/epal/interface epal-interface.xsd http://www.research.ibm.com/privacy/epal epal.xsd "> <user-category refid="SalesDepartment"/> <data-category refid="CustomerRecord"/> <purpose refid="OrderProcessing"/> <action refid="Store"/> <container refid="CustomerRecord"> <attribute refid="CustomerID"> <value>0123456789</value> <value>Alice</value> </attribute> </container> </epal-query> |
The top-level element <epal-ruling> defines the data structure that is output by the EPAL authorization engine as an answer to an authorization query.
Syntax: Each <epal-ruling> element contains an attribute "ruling" with the ruling, a sequence of zero or more <originating-rule> elements of type "referringObjectType" that identify the rules that mandate this ruling, and zero or more <obligation> elements. Each obligations element inherits an attribute "refid" from the "referringObjectType". It extends this type by one or more child elements <originating-rule> of type "referringObjectType" that identify the rules that mandate this obligation, and a list of <parameter> elements of type "epalSimpleType" that define the parameters for this obligation. The required attribute "simpleType" specifies the epalSimpleType of the parameter as specified in the definition of the policy.
Semantics: The <epal-ruling> element describes one authorization answer. The ruling attribute contains the ruling returned by the engine, the originating-rules identify the rules that were used to allow/deny the request. The contained list of obligations identifies the resulting obligations. Each obligation has a "refid" that points to an "id" of an obligation of the policy. In addition, the obligation has a list of <originating-rule/> sub-elements that identify all rules that mandated this obligation.
Design Notes:
Schema Fragment
<xs:element name="epal-ruling"> <xs:complexType> <xs:sequence> <!-- The rules that mandated authorized access. --> <xs:element name="originating-rule" minOccurs="0" maxOccurs="unbounded" type="epal:referringObjectType"/> <!-- The returned obligations --> <xs:element name="obligation" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:referringObjectType"> <xs:sequence> <!-- The rules that mandated this obligation --> <xs:element name="originating-rule" minOccurs="1" maxOccurs="unbounded" type="epal:referringObjectType"/> <!-- The XML input for each returned obligation --> <xs:element name="parameter" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:sequence> <xs:element name="value" type="epal:epalSimpleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="simpleType" use="required" type="epal:epalSimpleTypeURI"/> <xs:attribute name="refid" use="required" type="xs:NCName"/> </xs:complexType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> </xs:sequence> <xs:attribute name="ruling"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="allow"/> <xs:enumeration value="deny"/> <xs:enumeration value="not-applicable"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> </xs:schema> |
Example: An Authorization Answer
<?xml version="1.0"?> <epal-ruling ruling="allow" xmlns="http://www.research.ibm.com/privacy/epal/interface" xmlns:epal="http://www.research.ibm.com/privacy/epal" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.research.ibm.com/privacy/epal/interface epal-interface.xsd http://www.research.ibm.com/privacy/epal epal.xsd"> <originating-rule refid="rule1"/> <obligation refid="Retention"> <originating-rule refid="rule1"/> <parameter refid="Days" simpleType="http://www.w3.org/2001/XMLSchema#integer"><value>2</value></parameter> <parameter refid="Hours" simpleType="http://www.w3.org/2001/XMLSchema#integer"><value>48</value></parameter> </obligation> </epal-ruling> |
This appendix specifies the functions and predicates used by EPAL. Every function and predicate is uniquely addressed via a URI Reference constructed as follows:
All functions and predicates take a sequence of attribute values and bags of attribute values as arguments. It is important to note that a bag containing only one attribute value is not the same as an attribute value. For example, the "string-equal" function takes two attribute values as the arguments, but not two such bags. Similarly, the "string-bag-to-value" function is supposed to take such a bag as the argument, but not an attribute value. Indeed, it converts such a bag into an attribute value.
Names | Arguments | Return Value |
---|---|---|
integer-add | Two or more attribute values of http://www.w3.org/2001/XMLSchema#integer | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the result of addition. |
double-add | Two or more attribute values of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#double representing the result of addition. |
integer-subtract | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the result of subtraction, where the second argument is subtracted from the first argument. |
double-subtract | Two attribute values of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#double representing the result of subtraction, where the second argument is subtracted from the first argument. |
integer-multiply | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the result of multiplication. |
double-multiply | Two attribute values of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#double representing the result of multiplication. |
integer-divide | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the result of division, where the second argument is the divisor. |
double-divide | Two attribute values of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#double representing the result of division, where the second argument is the divisor. |
integer-mod | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the modulo, where the second argument is the divisor. |
integer-abs | A single attribute value of http://www.w3.org/2001/XMLSchema#integer | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the absolute value. |
double-abs | A single attribute value of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#double representing the absolute value. |
round | A single attribute value of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#double representing the closest integer value to the argument. |
floor | A single attribute value of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#double representing the largest integer value that is not greater than the argument. |
Name | Arguments | Return Value |
---|---|---|
lower-case | A single attribute value of http://www.w3.org/2001/XMLSchema#string | This function converts all of the characters in the string argument to lower case according to the "fn:lower-case" function [XQuery 1.0 and XPath 2.0 Functions and Operators], and returns an attribute value of http://www.w3.org/2001/XMLSchema#string representing the result. |
upper-case | A single attribute value of http://www.w3.org/2001/XMLSchema#string | This function converts all of the characters in the string argument to lower case according to the "fn:upper-case" function [XQuery 1.0 and XPath 2.0 Functions and Operators], and returns an attribute value of http://www.w3.org/2001/XMLSchema#string representing the result. |
normalize-space | A single attribute value of http://www.w3.org/2001/XMLSchema#string | This function normalizes the spaces in the string argument according to the "fn:normalize-space" function [XQuery 1.0 and XPath 2.0 Functions and Operators], and returns an attribute value of http://www.w3.org/2001/XMLSchema#string representing the result. |
Name | Arguments | Return Value |
---|---|---|
double-to-integer | A single attribute value of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the truncated integer value. |
integer-to-double | A single attribute value of http://www.w3.org/2001/XMLSchema#integer | An attribute value of http://www.w3.org/2001/XMLSchema#double representing the integer value. |
Name | Arguments | Return Value |
---|---|---|
string-bag-size | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#string | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the size of the bag. |
boolean-bag-size | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#boolean | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the size of the bag. |
integer-bag-size | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#integer | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the size of the bag. |
double-bag-size | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#double | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the size of the bag. |
time-bag-size | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#time | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the size of the bag. |
date-bag-size | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#date | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the size of the bag. |
dateTime-bag-size | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#dateTime | An attribute value of http://www.w3.org/2001/XMLSchema#integer representing the size of the bag. |
string-bag-to-value | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#string | This function checks whether the bag contains one and only one attribute value. If it is true, then an attribute value of http://www.w3.org/2001/XMLSchema#string representing the only one value is returned, otherwise an error is returned. |
boolean-bag-to-value | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#boolean | This function checks whether the bag contains one and only one attribute value. If it is true, then an attribute value of http://www.w3.org/2001/XMLSchema#boolean representing the only one value is returned, otherwise an error is returned. |
integer-bag-to-value | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#integer | This function checks whether the bag contains one and only one attribute value. If it is true, then an attribute value of http://www.w3.org/2001/XMLSchema#integer representing the only one value is returned, otherwise an error is returned. |
double-bag-to-value | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#double | This function checks whether the bag contains one and only one attribute value. If it is true, then an attribute value of http://www.w3.org/2001/XMLSchema#double representing the only one value is returned, otherwise an error is returned. |
time-bag-to-value | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#time | This function checks whether the bag contains one and only one attribute value. If it is true, then an attribute value of http://www.w3.org/2001/XMLSchema#time representing the only one value is returned, otherwise an error is returned. |
date-bag-to-value | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#date | This function checks whether the bag contains one and only one attribute value. If it is true, then an attribute value of http://www.w3.org/2001/XMLSchema#date representing the only one value is returned, otherwise an error is returned. |
dateTime-bag-to-value | A single bag of attribute values of http://www.w3.org/2001/XMLSchema#dateTime | This function checks whether the bag contains one and only one attribute value. If it is true, then an attribute value of http://www.w3.org/2001/XMLSchema#dateTime representing the only one value is returned, otherwise an error is returned. |
string-bag | Zero or more attribute values of http://www.w3.org/2001/XMLSchema#string | A bag of http://www.w3.org/2001/XMLSchema#string containing all the argument values. |
boolean-bag | Zero or more attribute values of http://www.w3.org/2001/XMLSchema#boolean | A bag of http://www.w3.org/2001/XMLSchema#boolean containing all the argument values. |
integer-bag | Zero or more attribute values of http://www.w3.org/2001/XMLSchema#integer | A bag of http://www.w3.org/2001/XMLSchema#integer containing all the argument values. |
double-bag | Zero or more attribute values of http://www.w3.org/2001/XMLSchema#double | A bag of http://www.w3.org/2001/XMLSchema#double containing all the argument values. |
time-bag | Zero or more attribute values of http://www.w3.org/2001/XMLSchema#time | A bag of http://www.w3.org/2001/XMLSchema#time containing all the argument values. |
date-bag | Zero or more attribute values of http://www.w3.org/2001/XMLSchema#date | A bag of http://www.w3.org/2001/XMLSchema#date containing all the argument values. |
dateTime-bag | Zero or more attribute values of http://www.w3.org/2001/XMLSchema#dateTime | A bag of http://www.w3.org/2001/XMLSchema#dateTime containing all the argument values. |
Name | Arguments | Result |
---|---|---|
string-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#string | True iff the two values are equal according to the "fn:compare" function [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
boolean-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#boolean | True iff the two values are equal. |
integer-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | True iff the two values are equal. |
double-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#double | True iff the two values are equal. |
time-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#time | True iff the two values are equal according to the "op:time-equal" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
date-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#date | True iff the two values are equal according to the "op:date-equal" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
dateTime-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#dateTime | True iff the two values are equal according to the "op:dateTime-equal" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
Name | Arguments | Result |
---|---|---|
string-greater-than | Two attribute values of http://www.w3.org/2001/XMLSchema#string | True iff the first argument is greater than the second argument according to the "fn:compare" function [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
string-greater-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#string | True iff the first argument is greater than or equal to the second argument according to the "fn:compare" function [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
string-less-than | Two attribute values of http://www.w3.org/2001/XMLSchema#string | True iff the first argument is less than the second argument according to the "fn:compare" function [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
string-less-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#string | True iff the first argument is less than or equal to the second argument according to the "fn:compare" function [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
Name | Arguments | Result |
---|---|---|
integer-greater-than | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | True iff the first argument is greater than the second argument. |
integer-greater-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | True iff the first argument is greater than or equal to the second argument. |
integer-less-than | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | True iff the first argument is less than the second argument. |
integer-less-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#integer | True iff the first argument is less than or equal to the second argument. |
double-greater-than | Two attribute values of http://www.w3.org/2001/XMLSchema#double | True iff the first argument is greater than the second argument. |
double-greater-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#double | True iff the first argument is greater than or equal to the second argument. |
double-less-than | Two attribute values of http://www.w3.org/2001/XMLSchema#double | True iff the first argument is less than the second argument. |
double-less-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#double | True iff the first argument is less than or equal to the second argument. |
Name | Arguments | Result |
---|---|---|
time-greater-than | Two attribute values of http://www.w3.org/2001/XMLSchema#time | True iff the first argument is greater than the second argument according to the "op:time-greater-than" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
time-greater-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#time | True iff the first argument is greater than or equal to the second argument according to the "op:time-greater-than" and "op:time-equal" operators [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
time-less-than | Two attribute values of http://www.w3.org/2001/XMLSchema#time | True iff the first argument is less than the second argument according to the "op:time-less-than" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
time-less-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#time | True iff the first argument is less than or equal to the second argument according to the "op:time-lessr-than" and "op:time-equal" operators [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
date-greater-than | Two attribute values of http://www.w3.org/2001/XMLSchema#date | True iff the first argument is greater than the second argument according to the "op:date-greater-than" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
date-greater-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#date | True iff the first argument is greater than or equal to the second argument according to the "op:date-greater-than" and "op:date-equal" operators [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
date-less-than | Two attribute values of http://www.w3.org/2001/XMLSchema#date | True iff the first argument is less than the second argument according to the "op:date-less-than" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
date-less-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#date | True iff the first argument is less than or equal to the second argument according to the "op:date-lessr-than" and "op:date-equal" operators [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
dateTime-greater-than | Two attribute values of http://www.w3.org/2001/XMLSchema#dateTime | True iff the first argument is greater than the second argument according to the "op:dateTime-greater-than" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
dateTime-greater-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#dateTime | True iff the first argument is greater than or equal to the second argument according to the "op:dateTime-greater-than" and "op:dateTime-equal" operators [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
dateTime-less-than | Two attribute values of http://www.w3.org/2001/XMLSchema#dateTime | True iff the first argument is less than the second argument according to the "op:dateTime-less-than" operator [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
dateTime-less-than-or-equal | Two attribute values of http://www.w3.org/2001/XMLSchema#dateTime | True iff the first argument is less than or equal to the second argument according to the "op:dateTime-lessr-than" and "op:dateTime-equal" operators [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
Name | Arguments | Result |
---|---|---|
or | One or more attribute values of http://www.w3.org/2001/XMLSchema#boolean | True iff one of the arguments is true. |
and | One or more attribute values of http://www.w3.org/2001/XMLSchema#boolean | True iff all the arguments are true. |
not | A single attribute value of http://www.w3.org/2001/XMLSchema#boolean | True iff the argument is false. |
Names | Arguments | Result |
---|---|---|
string-is-in | An attribute value of http://www.w3.org/2001/XMLSchema#string as the first argument, and a bag of attribute values of http://www.w3.org/2001/XMLSchema#string as the second argument | True iff the first argument is equal to one of the attribute values in the bag of the second argument (according to the "string-equal" predicate). |
boolean-is-in | An attribute value of http://www.w3.org/2001/XMLSchema#boolean as the first argument, and a bag of attribute values of http://www.w3.org/2001/XMLSchema#boolean as the second argument | True iff the first argument is equal to one of the attribute values in the bag of the second argument (according to the "boolean-equal" predicate). |
integer-is-in | An attribute value of http://www.w3.org/2001/XMLSchema#integer as the first argument, and a bag of attribute values of http://www.w3.org/2001/XMLSchema#integer as the second argument | True iff the first argument is equal to one of the attribute values in the bag of the second argument (according to the "integer-equal" predicate). |
double-is-in | An attribute value of http://www.w3.org/2001/XMLSchema#double as the first argument, and a bag of attribute values of http://www.w3.org/2001/XMLSchema#double as the second argument | True iff the first argument is equal to one of the attribute values in the bag of the second argument (according to the "double-equal" predicate). |
time-is-in | An attribute value of http://www.w3.org/2001/XMLSchema#time as the first argument, and a bag of attribute values of http://www.w3.org/2001/XMLSchema#time as the second argument | True iff the first argument is equal to one of the attribute values in the bag of the second argument (according to the "time-equal" predicate). |
date-is-in | An attribute value of http://www.w3.org/2001/XMLSchema#date as the first argument, and a bag of attribute values of http://www.w3.org/2001/XMLSchema#date as the second argument | True iff the first argument is equal to one of the attribute values in the bag of the second argument (according to the "date-equal" predicate). |
dateTime-is-in | An attribute value of http://www.w3.org/2001/XMLSchema#dateTime as the first argument, and a bag of attribute values of http://www.w3.org/2001/XMLSchema#dateTime as the second argument | True iff the first argument is equal to one of the attribute values in the bag of the second argument (according to the "dateTime-equal" predicate). |
string-at-least-one-value-equal | Two bags of attribute values of http://www.w3.org/2001/XMLSchema#string | True iff at least one attribute value in the bag of the first argument is equal to one of the attribute values in the bag of the second argument (according to the "string-equal" predicate). |
boolean-at-least-one-value-equal | Two bags of attribute values of http://www.w3.org/2001/XMLSchema#boolean | True iff at least one attribute value in the bag of the first argument is equal to one of the attribute values in the bag of the second argument (according to the "boolean-equal" predicate). |
integer-at-least-one-value-equal | Two bags of attribute values of http://www.w3.org/2001/XMLSchema#integer | True iff at least one attribute value in the bag of the first argument is equal to one of the attribute values in the bag of the second argument (according to the "integer-equal" predicate). |
double-at-least-one-value-equal | Two bags of attribute values of http://www.w3.org/2001/XMLSchema#double | True iff at least one attribute value in the bag of the first argument is equal to one of the attribute values in the bag of the second argument (according to the "double-equal" predicate). |
time-at-least-one-value-equal | Two bags of attribute values of http://www.w3.org/2001/XMLSchema#time | True iff at least one attribute value in the bag of the first argument is equal to one of the attribute values in the bag of the second argument (according to the "time-equal" predicate). |
date-at-least-one-value-equal | Two bags of attribute values of http://www.w3.org/2001/XMLSchema#date | True iff at least one attribute value in the bag of the first argument is equal to one of the attribute values in the bag of the second argument (according to the "date-equal" predicate). |
dateTime-at-least-one-value-equal | Two bags of attribute values of http://www.w3.org/2001/XMLSchema#dateTime | True iff at least one attribute value in the bag of the first argument is equal to one of the attribute values in the bag of the second argument (according to the "dateTime-equal" predicate). |
Name | Arguments | Result |
---|---|---|
regexp-string-match | Two attribute values of http://www.w3.org/2001/XMLSchema#string | This predicate evaluates a regular expression match. The first argument is a regular expression, and the second argument is a general string. True iff the two values are matched according to the "fn:matches" function [XQuery 1.0 and XPath 2.0 Functions and Operators]. |
The Platform for Privacy Preferences from the Worldwide Web Consortium (see P3P ) enables a web-site to describe what kind of data is collected and how this data will be used. A P3P policy may contain the purposes, the recipients, the retention period, and a textual explanation of why this data is needed. P3P defines standardized categories for each kind of information included in a policy. Unlike P3P, EPAL defines the privacy-practices that are implemented inside an enterprise. Since this depends on internal details of the enterprise, it results in much more detailed policies that can be enforced and audited automatically. However, the resulting privacy guarantees can sometimes be simplified as a P3P promise that is offered for the users of the services.
The Customer Profile Exchange Specification (CPExchange, see CPExchange) defines a data format for disclosing customer data from one party (customer/enterprise) to another. It defines basic and complex data types for many different kinds of personal data (e.g., fields for address, name, hobbies, ...). It enables the specification of privacy meta-information as an option. The privacy meta-information includes the exchange partners, the applicable jurisdiction, and a privacy declaration (based on P3P). Both data types are designed in UML and then translated into XML in a standardized way.
The main focus of CPExchange lies in standardizing the data exchange format. The privacy meta-information is less expressive than EPAL. Consequently, data disclosed using CPExchange may be controlled with EPAL policies instead of using their privacy meta-data.
<?xml version="1.0"?> <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% --> <!-- --> <!-- The Enterprise Privacy Authorization Language (EPAL) --> <!-- --> <!-- Authors: --> <!-- Paul Ashley <pashley at us.ibm.com> --> <!-- Satoshi Hada <satoshih at jp.ibm.com> --> <!-- Günter Karjoth <gka at zurich.ibm.com> --> <!-- Calvin Powers <cspowers at us.ibm.com> --> <!-- Matthias Schunter <mts at zurich.ibm.com> --> <!-- --> <!-- Abstract: This schema defines the structure of EPAL --> <!-- privacy policies. --> <!-- --> <!-- Version: 1.2 --> <!-- --> <!-- Copyright (c) 2000-2003 --> <!-- International Business Machines Corporation. --> <!-- --> <!-- Id: epal.xsd,v 1.49 2003/11/10 13:45:20 mts Exp --> <xs:schema xmlns:epal="http://www.research.ibm.com/privacy/epal" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.research.ibm.com/privacy/epal" xml:lang="en" elementFormDefault="qualified" attributeFormDefault="unqualified" version="b"> <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% --> <!-- --> <!-- DECLARATION OF REUSABLE TYPES --> <!-- --> <!-- Types needed often are declared here. --> <!-- Elements which have an identifier should be of this type --> <xs:complexType name="identifiedObjectType"> <xs:attribute name="id" use="required" type="xs:NCName"></xs:attribute> </xs:complexType> <!-- Elements which refer to an identifier should be of this type --> <xs:complexType name="referringObjectType"> <xs:attribute name="refid" use="required" type="xs:NCName"></xs:attribute> </xs:complexType> <!-- Identified Elements which have descriptions should be of this type --> <xs:complexType name="describedObjectType"> <xs:complexContent> <xs:extension base="epal:identifiedObjectType"> <xs:sequence> <xs:element name="short-description" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="language" use="optional" default="en" type="xs:language"></xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="long-description" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="language" use="optional" default="en" type="xs:language"></xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="property" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:sequence> <xs:element name="value" type="epal:epalSimpleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="id" use="required" type="xs:NCName"></xs:attribute> </xs:complexType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Elements which can participate in a hierarchy should have this type --> <xs:complexType name="hierarchicalType"> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:attribute name="parent" use="optional" type="xs:NCName"></xs:attribute> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Contact information --> <xs:complexType name="contactInfoType"> <xs:sequence> <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> <xs:element name="organization" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> <xs:element name="e-mail" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> <xs:element name="address" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> <xs:element name="country" type="xs:string" minOccurs="1" maxOccurs="1"></xs:element> </xs:sequence> </xs:complexType> <!-- A Descriptor of an attribute --> <xs:complexType name="attributeDefinitionType"> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:attribute name="simpleType" use="required" type="epal:epalSimpleTypeURI"/> <xs:attribute name="minOccurs" type="xs:nonNegativeInteger" use="optional" default="1"/> <xs:attribute name="maxOccurs" use="optional" default="1"> <xs:simpleType> <xs:union memberTypes="xs:nonNegativeInteger"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="unbounded"/> </xs:restriction> </xs:simpleType> </xs:union> </xs:simpleType> </xs:attribute> </xs:extension> </xs:complexContent> </xs:complexType> <!-- A Descriptor of a container attribute --> <xs:complexType name="containerAttributeDefinitionType"> <xs:complexContent> <xs:extension base="epal:attributeDefinitionType"> <xs:attribute name="auditable" use="optional" type="xs:boolean" default="false"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Allowed EPAL data types --> <xs:simpleType name="epalSimpleTypeURI"> <xs:restriction base="xs:anyURI"> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#string"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#boolean"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#double"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#time"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#date"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#dateTime"/> <xs:enumeration value="http://www.w3.org/2001/XMLSchema#integer"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="epalSimpleType"> <!-- Four data types (dayTimeDuration, yearMonthDuration, x500Name, and rfc822Name) are ignored since there are no corresponding simple types.--> <xs:union memberTypes="xs:string xs:boolean xs:integer xs:double xs:time xs:date xs:dateTime xs:anyURI xs:hexBinary xs:base64Binary"/> </xs:simpleType> <!-- Information on a policy or a vocabulary --> <xs:complexType name="infoType"> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence> <xs:element name="issuer" minOccurs="0" maxOccurs="1" type="epal:contactInfoType"></xs:element> <xs:element name="location" minOccurs="0" maxOccurs="1" type="xs:anyURI"></xs:element> <xs:element name="version-info" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:attribute name="test" type="xs:boolean" default="false" use="optional"></xs:attribute> <xs:attribute name="start-date" type="xs:dateTime" use="required"></xs:attribute> <xs:attribute name="revision-number" type="xs:string" use="required"></xs:attribute> <xs:attribute name="last-modified" type="xs:dateTime" use="required"></xs:attribute> <xs:attribute name="end-date" type="xs:dateTime" use="optional"></xs:attribute> <xs:attribute name="superseded-by-id" type="xs:NCName" use="optional"></xs:attribute> <xs:attribute name="superseded-by-revision" type="xs:string" use="optional"></xs:attribute> </xs:complexType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Importing policies and vocabularies --> <xs:complexType name="importStatementType"> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:attribute name="location" use="required" type="xs:anyURI"></xs:attribute> <xs:attribute name="revision-number" use="optional" type="xs:string"></xs:attribute> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Elements for EPAL functions and predicates --> <xs:complexType name="functionType"> <xs:sequence> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element name="attribute-value" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:simpleContent> <xs:extension base="epal:epalSimpleType"> <xs:attribute name="simpleType" use="required" type="epal:epalSimpleTypeURI"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="attribute-bag" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:sequence> <xs:element name="value" type="epal:epalSimpleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="simpleType" use="required" type="epal:epalSimpleTypeURI"/> </xs:complexType> </xs:element> <xs:element name="attribute-reference" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:attribute name="container-refid" use="required" type="xs:NCName"/> <xs:attribute name="attribute-refid" use="required" type="xs:NCName"/> </xs:complexType> </xs:element> <xs:element name="condition-reference" minOccurs="1" maxOccurs="1"> <xs:complexType> <xs:attribute name="refid" use="required" type="xs:NCName"/> </xs:complexType> </xs:element> <xs:element name="predicate" type="epal:functionType" minOccurs="1" maxOccurs="1"/> <xs:element name="function" type="epal:functionType" minOccurs="1" maxOccurs="1"/> </xs:choice> </xs:sequence> <xs:attribute name="refid" type="xs:anyURI" use="required"/> </xs:complexType> <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% --> <!-- --> <!-- DECLARATION OF THE <epal-vocabulary> TOPLEVEL ELEMENT --> <!-- --> <xs:element name="epal-vocabulary"> <xs:complexType> <xs:sequence> <xs:element name="vocabulary-information" minOccurs="1" maxOccurs="1" type="epal:infoType"></xs:element> <xs:element name="user-category" minOccurs="0" maxOccurs="unbounded" type="epal:hierarchicalType"></xs:element> <xs:element name="data-category" minOccurs="0" maxOccurs="unbounded" type="epal:hierarchicalType"></xs:element> <xs:element name="purpose" type="epal:hierarchicalType" minOccurs="0" maxOccurs="unbounded"></xs:element> <xs:element name="action" type="epal:describedObjectType" minOccurs="0" maxOccurs="unbounded"></xs:element> <xs:element name="container" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence minOccurs="1" maxOccurs="1"> <xs:element name="attribute" type="epal:containerAttributeDefinitionType" minOccurs="1" maxOccurs="unbounded"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Declared attribute id's must be unique within each container --> <xs:unique name="uniqueAttributeDef"> <xs:selector xpath="./epal:attribute"/> <xs:field xpath="@id"/> </xs:unique> </xs:element> <xs:element name="obligation" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence minOccurs="1" maxOccurs="unbounded"> <xs:element name="parameter" type="epal:attributeDefinitionType" minOccurs="0" maxOccurs="unbounded"></xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Declared parameter id's must be unique within each obligation --> <xs:unique name="uniqueParamDef"> <xs:selector xpath="./epal:parameter"/> <xs:field xpath="@id"/> </xs:unique> </xs:element> </xs:sequence> <xs:attribute name="version" type="xs:string" default="1.2"/> </xs:complexType> <!-- Key and References for user-category/@id --> <xs:key name="user-category-identifier"> <xs:selector xpath="./epal:user-category"></xs:selector> <xs:field xpath="@id"></xs:field> </xs:key> <xs:keyref name="user-category-reference" refer="epal:user-category-identifier"> <xs:selector xpath="./epal:user-category"></xs:selector> <xs:field xpath="@parent"></xs:field> </xs:keyref> <!-- Key and References for data-category/@id --> <xs:key name="data-category-identifier"> <xs:selector xpath="./epal:data-category"></xs:selector> <xs:field xpath="@id"></xs:field> </xs:key> <xs:keyref name="data-category-reference" refer="epal:data-category-identifier"> <xs:selector xpath="./epal:data-category"></xs:selector> <xs:field xpath="@parent"></xs:field> </xs:keyref> <!-- Key and References for purpose/@id --> <xs:key name="purpose-identifier"> <xs:selector xpath="./epal:purpose"></xs:selector> <xs:field xpath="@id"></xs:field> </xs:key> <xs:keyref name="purpose-reference" refer="epal:purpose-identifier"> <xs:selector xpath="./epal:purpose"></xs:selector> <xs:field xpath="@parent"></xs:field> </xs:keyref> <!-- Declared action id's must be unique --> <xs:unique name="action-identifier"> <xs:selector xpath="./epal:action"></xs:selector> <xs:field xpath="@id"></xs:field> </xs:unique> <!-- Declared container id's must be unique --> <xs:unique name="container-identifier"> <xs:selector xpath="./epal:container"></xs:selector> <xs:field xpath="@id"></xs:field> </xs:unique> <!-- Declared obligation id's must be unique --> <xs:unique name="obligation-identifier"> <xs:selector xpath="./epal:obligation"></xs:selector> <xs:field xpath="@id"></xs:field> </xs:unique> </xs:element> <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% --> <!-- --> <!-- DECLARATION OF THE <epal-policy> TOPLEVEL ELEMENT --> <!-- --> <xs:element name="epal-policy"> <xs:complexType> <xs:sequence> <xs:element name="policy-information" minOccurs="1" maxOccurs="1" type="epal:infoType"></xs:element> <xs:element name="epal-vocabulary-ref" minOccurs="1" maxOccurs="1" type="epal:importStatementType"/> <xs:element name="condition" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence> <xs:element name="predicate" minOccurs="1" maxOccurs="1" type="epal:functionType"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="rule" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:describedObjectType"> <xs:sequence> <xs:element name="user-category" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <xs:element name="data-category" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <xs:element name="purpose" type="epal:referringObjectType" minOccurs="0" maxOccurs="unbounded"></xs:element> <xs:element name="action" type="epal:referringObjectType" minOccurs="1" maxOccurs="unbounded"></xs:element> <xs:element name="condition" type="epal:referringObjectType" minOccurs="0" maxOccurs="unbounded"></xs:element> <xs:element name="obligation" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:complexContent> <xs:extension base="epal:referringObjectType"> <xs:sequence minOccurs="0" maxOccurs="1"> <xs:element name="parameter" minOccurs="0" maxOccurs="unbounded"> <xs:complexType> <xs:sequence> <xs:element name="value" type="epal:epalSimpleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="refid" use="required" type="xs:NCName"></xs:attribute> </xs:complexType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Parameter refid's must be unique within each obligation --> <xs:unique name="uniqueParameter"> <xs:selector xpath="./epal:parameter"/> <xs:field xpath="@refid"/> </xs:unique> </xs:element> </xs:sequence> <xs:attribute name="ruling"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="allow"/> <xs:enumeration value="deny"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> </xs:sequence> <xs:attribute name="version" type="xs:string" default="1.2"/> <xs:attribute name="global-condition" type="xs:NCName" use="optional"/> <xs:attribute name="default-ruling" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="allow"/> <xs:enumeration value="deny"/> <xs:enumeration value="not-applicable"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> <!-- Key and References for condition/@id --> <xs:key name="condition-identifier"> <xs:selector xpath="./epal:condition"></xs:selector> <xs:field xpath="@id"></xs:field> </xs:key> <xs:keyref name="condition-reference" refer="epal:condition-identifier"> <xs:selector xpath="./epal:rule/epal:condition"></xs:selector> <xs:field xpath="@refid"></xs:field> </xs:keyref> <xs:keyref name="global-condition-reference" refer="epal:condition-identifier"> <xs:selector xpath="."></xs:selector> <xs:field xpath="@global-condition"></xs:field> </xs:keyref> <!-- Rule id's must be unique within a policy --> <xs:unique name="uniqueRuleId"> <xs:selector xpath="./epal:rule"/> <xs:field xpath="@id"/> </xs:unique> </xs:element> </xs:schema> |