I. Abstract
The Geospatial eXtensible Access Control Markup Language (GeoXACML) 3.0 defines a geospatial extension to the OASIS eXtensible Access Control Markup Language (XACML) Version 3.0 Standard. GeoXACML 3.0 supports the interoperable definition of access rights including geographic conditions based on the XACML 3.0 language, processing model and policy schema. GeoXACML 3.0 provides improvements based on enhancements to the XACML Standard, primarily the support of access conditions spanning different XACML categories. This enhancement empowers GeoXACML 3.0 to be a powerful decision engine with support for spatiotemporal access conditions.
As a result of the XACML 3.0 deployment model and corresponding implementation flexibility, GeoXACML 3.0 can be operated as a traditional Policy Decision Point or as a cloud-native API gateway.
The OGC GeoXACML 3.0 Standard defines different conformance classes that supports flexible implementation conformance. Implementation of the Core conformance class supports the ISO 19125 geometry model including topological test (spatial relations) functions which enables the indexing of access conditions-based geometry. The Spatial Analysis conformance class extends the topological test functions for defining access conditions including the processing of geometries. To support condition evaluation for geometries encoded in different Coordinate Reference System (CRS), the CRS Transformation conformance class enables a compliant implementation to undertake dynamic CRS transformation during decision-making unless prohibited per request. Finally, the API conformance class enables operating a GeoXACML 3.0 compliant implementation as an OGC API conformant service (Policy Decision Point).
II. Keywords
The following are keywords to be used by search engines and document catalogues.
ogcdoc, OGC document, GeoXACML, XACML
III. Security Considerations
As GeoXACML 3.0 defines and extension to XACML 3.0, all security considerations outlined in XACML Version 3.0 section 9 apply.
In addition, the GeoXACML 3.0 aspects outlined in Clause 6.2 should be considered.
IV. Submitting Organizations
The following organizations submitted this Document to the Open Geospatial Consortium (OGC):
- Secure Dimensions GmbH
- Natural Resources Canada (NRCAN)
- Defense Information Systems Agency (DISA)
V. Acknowledgements
Thanks to the members of the GeoXACML Standards Working Group of the OGC as well as all contributors. In particular, Greg Buehler of OGC and Michael Leedahl of Maxar.
OGC Geospatial eXtensible Access Control Markup Language (GeoXACML) 3.0
1. Scope
NOTE: The Geospatial eXtensible Access Control Markup Language (GeoXACML) 3.0 Core Standard defines a geospatial extension to the OASIS eXtensible Access Control Markup Language (XACML) Version 3.0.
This Standard further defines requirements, conformance classes and abstract tests for implementing a geospatially-enriched Policy Decision Point (GeoPDP) as defined by the OASIS eXtensible Access Control Markup Language (XACML) Version 3.0.
2. Conformance
All requirements-classes and conformance-classes described in this document are owned by the Standard identified.
2.1. Introduction (informative)
GeoXACML 3.0 is defined as an extension to the XACML Version 3.0 Standard. Therefore a GeoXACML 3.0 Core implementation must be fully compliant with the XACML 3.0 specification, including the XACML Version 3.0 Errata 01. All data types and functions marked mandatory must be supported.
GeoXACML 3.0 introduces the data type urn:ogc:def:geoxacml:3.0:data-type:geometry. This type is compliant with the OGC Simple Features geometry model with the restriction that a Geometry Collection to be homogeneous1. As such, GeoXACML 3.0 Core supports the use of geometry based on Well-Known-Text and Well-Known-Binary encoding as defined in OGC Simple Features.
The default GeoXACML 3.0 Coordinate Reference System (CRS) is compliant with the The GeoJSON Format using the value urn:ogc:def:crs:OGC::CRS84 with the axis order longitude / latitude. The encoding of geometry values in another CRS can be done by using the GeoXACML specific attribute srid in conjunction with the AttributeValue XML element. The srid is the integer uniquely identifying the CRS.
In order for GeoXACML 3.0 Core to support spatial indexing of policies by target matching, the set of XACML 3.0 condition functions is extended by topology predicates as defined in OGC Simple Features, section 6.1.2.3.
The GeoXACML 3.0 Standard defines explicit error status codes to indicate processing termination caused by geometry (‘geometry-error’) and CRS (‘crs-error’) related errors. Processing a heterogeneous geometry collection will result in ‘geometry-collection-error’.
The processing of geometry accuracy is supported via the GeoXACML specific attribute precision to be used with the AttributeValue XML element. The default precision of ‘infinite’ can be reduced to the number of decimal places: precision=4 would indicate a geometry precision of four(4) decimal places. The use of precision is optional but can be used in the Authorization Decision Request to express a minimum level of accuracy when deriving the authorization decision. Requesting a higher precision than supported by the implementation or by the geometries in the policy or involved in the decision-making results in the processing being terminated with Indeterminate and value ‘precision-error’.
GeoXACML 3.0 Core leverages the extension points as identified in the XACML Version 3.0 Standard. Therefore, a GeoXACML 3.0 policy instance document is compliant to the XACML 3.0 Schema defined in the XACML Version 3.0 XML Schema. In addition, a GeoXACML 3.0 Authorization Decision Request and Authorization Response encoded in XML is compliant with the XACML 3.0 schema defined in the XACML Version 3.0 XML Schema.
2.2. GeoXACML 3.0 Conformance Classes
The OGC GeoXACML 3.0 Standard defines one mandatory and three optional conformance classes.
Conformance to this Standard can be evaluated by using all the relevant tests specified in Annex A (normative) of this document. The framework, concepts, and methodology for testing, and the criteria to be achieved to claim conformance are specified in the OGC Compliance Testing Policies and Procedures and the OGC Compliance Testing web site.
In order to conform to this OGC® Standard, a software implementation SHALL implement the mandatory conformance class specified in Annex A (normative).
Core (mandatory): Defines the data type Geometry, requirements for using the WKT and WKB geometry encoding, and a set of “simple” geometric functions based on OGC Simple Features Standard to support indexing of access conditions based on topology.
In addition to the Core conformance class, an implementation can further choose to be compliant with any combination of the following conformance classes.
Spatial Analysis (optional): Defines an additional set of “spatial analysis” functions based on the OGC Simple Features Standard.
CRS Transformation (optional): Enables an implementation to apply an ad-hoc CRS transformation while deriving an authorization decision.
API (optional): Support OGC API compliance. An implementation provides an OGC API - Common - Part 1: Core2 compliant landing page, conformance class listing, OpenAPI document and supports requesting an Authorization Decision via an HTTP POST request.
2.2.1. Conformance Model Illustration
The following UML diagram illustrates the GeoXACML 3 conformance classes and their dependencies.
Figure 1 — Conformance Class Model
2.2.2. Conformance Class Core
The Core Conformance Class is defined as follows:
2.2.3. Conformance Class Spatial Analysis
The Spatial Analysis Conformance Class is defined as follows:
Conformance class 2: Spatial Analysis | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/spatial-analysis |
| Requirements class | Requirements class 7: http://www.opengis.net/spec/geoxacml/3.0/req-class/analysis |
| Target Type | Implementation |
| Conformance test | Conformance test A.20: http://www.opengis.net/spec/geoxacml/3.0/conf/core/advanced-functions |
2.2.4. Conformance Class CRS Transformation
The CRS Transformation Conformance Class is defined as follows:
Conformance class 3: CRS Transformation | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/crs-transformation |
| Requirements class | Requirements class 8: http://www.opengis.net/spec/geoxacml/3.0/req-class/crs-transformation |
| Target Type | Implementation |
| Conformance tests | Conformance test A.21: http://www.opengis.net/spec/geoxacml/3.0/conf/crs-transformation/crs-transformation Conformance test A.22: http://www.opengis.net/spec/geoxacml/3.0/conf/crs-transformation/allow-transformation-1 Conformance test A.23: http://www.opengis.net/spec/geoxacml/3.0/conf/crs-transformation/allow-transformation-2 Conformance test A.24: http://www.opengis.net/spec/geoxacml/3.0/conf/crs-transformation/allow-transformation-3 |
2.2.5. Conformance Class OGC API
The OGC API Conformance Class is defined as follows:
Conformance class 4: OGC API | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api |
| Requirements class | Requirements class 9: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api |
| Target Type | Implementation |
| Conformance tests | Conformance test A.25: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api/landing-page Conformance test A.26: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api/openapi-page Conformance test A.27: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api/conformance-page Conformance test A.28: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api/decision-endpoint |
3. Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
OGC Geographic information — Simple features access — Part 1: Common architecture, ISO, 2004, https://portal.opengeospatial.org/files/?artifact_id=25355
eXtensible Access Control Markup Language (XACML) Version 3.0, OASIS, 2017, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
eXtensible Access Control Markup Language (XACML) Version 3.0 Errata 01, OASIS, 2017, http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os.html
OASIS eXtensible Access Control Markup Language (XACML) Version 3.0 XML Schema, OASIS, 2013, http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd
The GeoJSON Format, IETF, 2016, https://www.rfc-editor.org/rfc/rfc7946
4. Terms, definitions, and abbreviated terms
4.1. Terms and definitions
4.1.1. GeoPDP
A Geospatial Policy Decision Point (PDP) is an implementation of GeoXACML 3.0 conformance class API. A PDP provides the capabilities to process the data-type Geometry and the functions defined in this OGC Standard. Because a GeoXACML compliant implementation must implement all XACML 3.0 mandatory capabilities, a GeoPDP is always capable of processing “pure” XACML 3.0 policies: Authorization Decision Request (ADR) and Authorization Decision (AD).
4.1.2. Homogeneous Geometry Collection
All geometries of a homogeneous geometry collection must have the same type.
4.1.3. XACML definitions
The following definitions, as defined in the XACML Version 3.0 Standard are listed here for ease of reading.
4.1.3.2. Bag
An unordered collection of values, in which there may be duplicate values.
4.1.3.3. Decision
The result of evaluating a rule, policy or policy set.
4.1.3.5. Policy
A set of rules, an identifier for the rule-combining algorithm and (optionally) a set of obligations.
4.1.3.6. Policy decision point (PDP)
The system entity that evaluates applicable policy and renders an authorization decision. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [RFC3198]. This term corresponds to “Access Decision Function” (ADF) in [ISO10181-3].
4.1.3.7. Policy enforcement point (PEP)
The system entity that performs access control, by making decision requests and enforcing authorization decisions. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [RFC3198]. This term corresponds to “Access Enforcement Function” (AEF) in [ISO10181-3].
4.1.3.8. Policy information point (PIP)
The system entity that acts as a source of attribute values.
4.1.3.9. Rule
A target, an effect and a condition.
4.2. Abbreviated terms
AD
Authorization Decision
ADR
Authorization Decision Request
GeoPDP
A GeoXACML implementation of a PDP
GML
Geography Markup Language
PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
5. Conventions
This Clause provides details and examples for any conventions used in this Standard. Examples of conventions are symbols, abbreviations, use of XML schema, or special notes regarding how to read the document.
5.1. Identifiers
The normative provisions in this Standard are denoted by the URI
http://www.opengis.net/spec/geoxacml/3.0
All requirements and conformance tests that appear in this document are denoted by partial URIs which are relative to this base.
6. GeoXACML 3.0 Introduction (informative)
This Clause introduces GeoXACML 3.0 concepts and how the extension points from XACML 3.0 are used to enable the declaration and enforcement of access conditions involving geographic conditions.
6.1. Defining an extension to XACML 3.0
The XACML 3.0 specification defines the extensibility points in (XACML Version 3.0, section 8). The DataType, FunctionId, AttributeId, and StatusCode are extended by GeoXACML 3.0.
NOTE: Please see the XACML 3.0 schema definitions in http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd for details.
6.1.1. Defining a new Data-Type
Section 8.1 of the XACML 3.0 specification states that “The following XML attributes have values that are URIs. These may be extended by the creation of new URIs associated with new semantics for these attributes. … Category, AttributeId, DataType, FunctionId, MatchId, ObligationId, AdviceId, PolicyCombiningAlgId, RuleCombiningAlgId, StatusCode, SubjectCategory.”
This capability allows the definition of the Geometry datatype. The XACML compliant URN sd defined in this OGC Standard is urn:ogc:def:geoxacml:3.0:data-type:geometry.
6.1.2. Encoding of Data-Type Geometry
Section 8.2 of the XACML specification states that “<xacml:AttributeValue> and <xacml-context:AttributeValue> elements MAY contain an instance of a structured XML data-type”.
This provides two options for encoding a geometry.
As a string value to the <AttributeValue> element
The GeoXACML 3.0 Core defines the mandatory encoding for using the string value to use Well Known Text or Well Known Binary
As XML
The GeoXACML 3.0 Core defines an extension point such that Encoding Extension can define different XML encodings.
<xs:element name="AttributeValue" type="xacml:AttributeValueType" substitutionGroup="xacml:Expression"/>
<xs:complexType name="AttributeValueType" mixed="true">
<xs:complexContent mixed="true">
<xs:extension base="xacml:ExpressionType">
<xs:sequence>
<xs:any namespace="##any" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
<xs:anyAttribute namespace="##any" processContents="lax"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
Figure 2 — XACML schema definition of the <AttributeValue> element
Note: GeoXACML 3 Core does not support GML based geometry encoding.
<xacml3:AttributeValue
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
>POINT(-77.035278 38.889444)</xacml3:AttributeValue>
Figure 3 — Geometry encoding example based on WKT and default CRS
<xacml3:AttributeValue xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
geoxacml:srid="4326"
>POINT(38.889444 -77.035278)</xacml3:AttributeValue>
Figure 4 — Geometry encoding example based on WKT and explicit CRS definition
<xacml3:AttributeValue
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
>01010000002c11a8fe414253c0cccf0d4dd9714340</xacml3:AttributeValue>
Figure 5 — Geometry encoding example based on WKB and default CRS
<xacml3:AttributeValue xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
geoxacml:srid="4326"
>0101000000cccf0d4dd97143402c11a8fe414253c0</xacml3:AttributeValue>
Figure 6 — Geometry encoding example based on WKB and explicit CRS definition
6.1.3. Defining a new Function
A <Function> element has an attribute named FunctionId, which is of type xs:anyURI. According to the XACML extension capabilities, additional functions can be defined by associating a unique FunctionId.
As specified in GeoXACML, this capability allows the definition of geo-specific functions.
<xs:element name="Function" type="xacml:FunctionType"/>
<xs:complexType name="FunctionType">
<xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
</xs:complexType>
Figure 7 — XACML schema definition of the <Function> element
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-equals">
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-one-and-only">
<xacml3:AttributeDesignator AttributeId="resource-location"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</xacml3:Apply>
<xacml3:AttributeValue xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry" geoxacml:srid="4326"
>POINT(38.889444 -77.035278)</xacml3:AttributeValue>
</xacml3:Apply>
Figure 8 — Using GeoXACML functions example in XACML Apply
6.1.4. Functions that help indexing of policies based on geometry
A policy writer using GeoXACML 3.0 may structure access conditions based on topological relations such as “if subject-location is within the Polygon(…)`" or "if `device-location is within-distance to the requested resource”. Such a condition would, for example, fetch the subject-location or device-location from an ADR, the Polygon from the policy and the resource geometry from the resource itself (see XACML 3.0 Policy Information Point (PIP) for more information).
The geographic indexing of PolicySet, Policy or Rule matching takes place inside the Target element. A Match element may use any function identified via MatchId whose signature has two parameters and the result is of type boolean () as we can interpret from the XML schema definition below.
<xs:element name="Match" type="xacml:MatchType"/>
<xs:complexType name="MatchType">
<xs:sequence>
<xs:element ref="xacml:AttributeValue"/>
<xs:choice>
<xs:element ref="xacml:AttributeDesignator"/>
<xs:element ref="xacml:AttributeSelector"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
</xs:complexType>
Figure 9 — XACML schema definition of the <Match> element
The order of the child elements in the Match element influence the way GeoXACML 3.0 defines matching functions such as is-within-distance, ensure-precision, srid-equals, etc. Those functions must have the geometry as the second parameter and the function specific parameter as the first parameter.
The following example illustrates the use of the srid-equals function to make a Rule to only match CRS84 (the SRID parameter is first).
<xacml3:Match MatchId="urn:ogc:def:function:geoxacml:3.0:geometry-srid-equals">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">4326</xacml3:AttributeValue>
<xacml3:AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location" DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
MustBePresent="true" />
</xacml3:Match>
Figure 10 — Example of <Match> element for CRS84 geometries
The example Match above determines the CRS from the request attribute subject-location and compares it with the literal 4326 (the SRID for representing CRS84).
6.1.5. Defining a new StatusCode
A <StatusCode> element has an attribute names name, which is of type xs:anyURI. According to the XACML extension capabilities, additional identifiers can be defined by associating a unique StatusId.
<xs:element name="StatusCode" type="xacml:StatusCodeType"/>
<xs:complexType name="StatusCodeType">
<xs:sequence>
<xs:element ref="xacml:StatusCode" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Value" type="xs:anyURI" use="required"/>
</xs:complexType>
Figure 11 — XACML schema definition of the <StatusCode> element
<xacml3:Response xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd">
<xacml3:Result>
<xacml3:Decision>Indeterminate</xacml3:Decision>
<xacml3:Status>
<xacml3:StatusCode Value="urn:ogc:def:function:geoxacml:3.0:geometry-error"/>
</xacml3:Status>
</xacml3:Result>
</xacml3:Response>
Figure 12 — XACML schema compliant Response with GeoXACML <StatusCode>
<xacml3:Response xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd">
<xacml3:Result>
<xacml3:Decision>Indeterminate</xacml3:Decision>
<xacml3:Status>
<xacml3:StatusCode Value="urn:ogc:def:function:geoxacml:3.0:geometry-error"/>
<xacml3:StatusMessage>Geometry must be encoded using specified SRID</xacml3:StatusMessage>
<xacml3:StatusDetail>
<xacml3:MissingAttributeDetail
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry">
<xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
geoxacml:srid="3857"/>
</xacml3:MissingAttributeDetail>
</xacml3:StatusDetail>
</xacml3:Status>
</xacml3:Result>
</xacml3:Response>
Figure 13 — XACML schema compliant Response with GeoXACML <StatusCode> and <MissingAttributeDetail>
The <MissingAttributeDetail> indicates that the ADR should be repeated using the EPSG:3857 CRS for encoding the AttributeValue with AttributeId=subject-location and CategoryId=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject. The reason for such a response could be that the implementation does not support CRS transformation and that the condition geometry in the GeoXACML 3.0 Policy/Rule is encoded in CRS EPSG:3857.
6.2. GeoXACML 3.0 Security and Privacy Considerations
In addition to the XACML 3.0 security and privacy considerations, GeoXACML 3.0 introduces geometry specific aspects.
6.2.1. User Privacy
Any deployment with policies that derive authorization decisions based on user location and requires that such information be submitted must evaluate the conditions such as, GDPR compliance, or if applicable more restrictive regulations, if applicable. This in particular is true when the request context requires containing additional Personal Information (e.g., name) or Personal Identifiable Information (e.g., IP address).
6.2.2. Geometry Precision
When deriving authorization decisions based on geographic conditions3 the precision of the coordinate values must be considered. Simply assuming a certain precision may result in false decisions.
To prevent false decision-making caused by precision, the GeoXACML 3.0 Standard defines geometry precision which can be used in a request (ADR) to express the minimum precision for all geometries involved in the decision-making. A GeoXACML 3.0 compliant implementation must terminate processing when the minimum requested precision cannot be achieved.
When crafting GeoXACML 3.0 policies (PolicySet, Policy, and Rule) always making the geometry precision explicit and matching the actual precision of the coordinates is recommended.
<xacml3:AttributeValue xmlns:geoxacml="urn:ogc:def:geoxacml:3.0:data-type:geometry"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
geoxacml:srid="4326"
>POINT(38.88, -77.03)</xacml3:AttributeValue>
Figure 14 — Example where default precision is higher (default is infinite) to actual precision
<xacml3:AttributeValue xmlns:geoxacml="urn:ogc:def:geoxacml:3.0:data-type:geometry"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
geoxacml:srid="4326"
geoxacml:precision="6"
>POINT(38.889444, -77.035278)</xacml3:AttributeValue>
Figure 15 — Example where expressed precision meets the precision of the coordinate value
A policy writer can use the -ensure-precision function to index policies (PolicySet, Policy, and Rule) as illustrated in the following Rule snippet.
<xacml3:Rule RuleId="precision4" Effect="Permit">
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:ogc:def:function:geoxacml:3.0:geometry-ensure-precision">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">4</xacml3:AttributeValue>
<xacml3:AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location" DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
MustBePresent="true" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-equals">
<xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
geoxacml:srid="4326"
>POINT(38.8894 -77.0352)</xacml3:AttributeValue>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-one-and-only">
<xacml3:AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location" DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
MustBePresent="true" />
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
Figure 16 — Example Rule testing request AttributeValue for minimum precision
6.2.3. Geometry CRS
A GeoXACML 3.0 implementation that is compliant with the CRS Transformation conformance class may apply CRS transformation while deriving an authorization decision. Any CRS transformation produces a distortion that may result in false decision-making.
To prevent false decision-making caused by distortion, the GeoXACML 3.0 Standard defines the allowTransformation attribute that prevents dynamic CRS transformation by default whilst deriving an authorization decision. To explicitly allow a CRS transformation, the policy writer or the application requesting a decision must overwrite the default by adding allowTransformation="true" to the the AttributeValue.
When attempting to make authorization decisions based on the default allowTransformation="false", the processing of policy and request geometries may stop “somewhere” and result in an Indeterminate decision. This is because the CRSs do not match. A policy writer that wants to craft different policies for different CRS can use the urn:ogc:def:function:geoxacml:3.0:geometry-srid-equals and urn:ogc:def:function:geoxacml:3.0:geometry-bag-srid-equals functions to index PolicySet, Policy, or Rule via Target matching.
<xacml3:Rule RuleId="crs84" Effect="Permit">
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:ogc:def:function:geoxacml:3.0:geometry-srid-equals">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">4326</xacml3:AttributeValue>
<xacml3:AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location" DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
MustBePresent="true" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-equals">
<xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
geoxacml:srid="4326"
>POINT(38.889444 -77.035278)</xacml3:AttributeValue>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-one-and-only">
<xacml3:AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location" DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
MustBePresent="true" />
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
Figure 17 — Example Target matching for a Rule with geometry conditions using CRS84
7. GeoXACML 3.0 Core Requirements
7.1. Requirements Class Specification
Requirement 1: URN Prefix | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-urn-prefix |
| Statement | GeoXACML 3.0 Core defines the non-resolvable URN base identifier urn:ogc:def:geoxacml:3.0 |
Requirement 2: Geometry URN | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-geometry-urn |
| Statement | GeoXACML 3.0 Core defines the URN identifier for the datatype Geometry as value urn:ogc:def:geoxacml:3.0:data-type:geometry |
Requirement 3: Status URN Prefix | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-status-urn-prefix |
| Statement | GeoXACML 3.0 Core defines a non-resolvable URN base identifier for status codes urn:ogc:def:geoxacml:3.0:status |
Requirement 4: Identifier URN Prefix | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-identifier-urn-prefix |
| Statement | GeoXACML 3.0 Core defines a non-resolvable URN base identifier for identifiers urn:ogc:def:geoxacml:3.0:identifier |
Requirement 5: XACML Bag | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-xacml-bag |
| Statement | A GeometryBag SHALL be an XACML bag with the datatype urn:ogc:def:geoxacml:3.0:data-type:geometry |
Requirement 6: XACML Bag CRS | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-xacml-bag-crs |
| Statement | All geometries in a GeometryBag SHALL have the same CRS. |
Requirement 7: Geometry Model | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-iso |
| Statement | GeoXACML 3.0 Core SHALL be compliant with the geometry model defined in the OGC Simple Features Standard with the restriction of homogeneous GeometryCollection. |
Requirement 8: Homogeneous Collection | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-homogeneous-collection |
| Statement | GeoXACML 3.0 Core constraints a GeometryCollection to be homogeneous. A homogeneous GeometryCollection is an OGC Simple Features compliant GeometryCollection where all geometries are of the same geometry type and not of type GeometryCollection. |
Requirement 9: Heterogeneous Collection | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-heterogeneous-collection |
| Statement | GeoXACML 3.0 Core supports a heterogeneous collection of geometries as a bag of geometries. |
Requirement 10: Function URN Prefix | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-function-urn-prefix |
| Statement | GeoXACML 3.0 Core defines a non-resolvable URN base identifier for functions urn:ogc:def:geoxacml:3.0:function |
Requirement 11: XML Namespace | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-xml-namespace-uri |
| Statement | GeoXACML 3.0 Core defines the XML namespace geoxacml with URI http://www.opengis.net/geoxacml/3.0. |
Requirement 12: Default CRS | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-default-crs |
| Statement | GeoXACML 3.0 Core defines a default CRS urn:ogc:def:crs:OGC::CRS84 as defined in The GeoJSON Format. |
Requirement 13: Axis-order | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-axis-order |
| Statement | GeoXACML 3.0 Core defines the axis order for the default CRS urn:ogc:def:crs:OGC::CRS84 as defined in The GeoJSON Format to be longitude / latitude. |
Requirement 14: XACML Schema | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-schema |
| Statement | GeoXACML 3.0 Core SHALL adopt the XACML 3.0 Schema as defined in XACML Version 3.0 XML Schema for constructing a Policy, Authorization Decision Request and Authorization Decision. |
Requirement 15: XML Attribute srid | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-xml-attribute-srid |
| Statement | GeoXACML 3.0 Core defines the XML attribute srid of type Integer in namespace http://www.opengis.net/geoxacml/3.0 to be used in the <AttributeValue> element for expressing an explicit geometry SRID as defined in OGC Simple Features. The CRS identifier SHALL be valid in the EPSG authority namespace. |
Requirement 16: XML Attribute precision | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-xml-attribute-precision |
| Statement | GeoXACML 3.0 Core defines the XML attribute precision of type Integer in namespace http://www.opengis.net/geoxacml/3.0 to be used in the <AttributeValue> element for expressing the required minimum precision when processing a geometry. The default precision SHALL be infinite. The value of the precision attribute SHALL be a positive integer including zero (0). The value expresses the number of decimal places of the coordinate values that SHALL be considered when processing the geometry. When used in an ADR, a PEP SHALL use the precision for indicating the minimum precision for geometries involved in the decision-making. When used in an AD a PDP SHALL use the precision for indicating to the PEP the maximum possible precision that can be guaranteed when deriving a decision. An implementation SHALL abort processing with an Indeterminate decision using StatusCode value urn:ogc:def:status:geoxacml:3.0:precision-error when the expected precision cannot be guaranteed. The StatusDetail SHALL contain the MissingAttributeDetail for each involved geometry the corresponding AttributeValue including the maximum precision supported by the PDP. The AttributeValue SHALL not include a value. |
Requirement 17: XML Attribute encoding | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-xml-attribute-encoding |
| Statement | GeoXACML 3.0 Core defines the XML attribute encoding of type String in namespace http://www.opengis.net/geoxacml/3.0 to be used in the <AttributeValue> element for expressing the geometry encoding. AS Core supports WKT and WKB geometry encoding, the value of the encoding attribute can either be WKT or WKB. If the encoding attribute is omitted, the WKT geometry encoding is the default. |
Requirement 18: CRS Error | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-crs-error |
| Statement | GeoXACML 3.0 Core defines the StatusCode value urn:ogc:def:geoxacml:3.0:status:crs-error to indicate a processing error caused by CRS. |
Requirement 19: Geometry Error | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-geometry-error |
| Statement | GeoXACML 3.0 Core defines the StatusCode value urn:ogc:def:geoxacml:3.0:status:geometry-error to indicate that processing of a geometry caused an error. |
Requirement 20: Geometry Collection Error | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-geometry-collection-error |
| Statement | GeoXACML 3.0 Core defines the StatusCode value urn:ogc:def:geoxacml:3.0:status:geometry-collection-error to indicate that processing of a GeometryCollection caused an error. |
Requirement 21: Precision Error | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-precision-error |
| Statement | GeoXACML 3.0 Core defines the StatusCode value urn:ogc:def:geoxacml:3.0:status:precision-error to indicate that processing of a geometry was aborted due to requested precision could not be met. |
Requirement 22: Identifier subject-location | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-subject-location |
| Statement | GeoXACML 3.0 Core defines the AttributeId identifier urn:ogc:def:geoxacml:3.0:identifier:subject-location in the XACML subject-category to indicate the location of a user in the Authorization Decision Request. |
Requirement 23: Identifier resource-location | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-resource-location |
| Statement | GeoXACML 3.0 Core defines the AttributeId identifier urn:ogc:def:geoxacml:3.0:identifier:resource-location in the XACML resource-category to indicate the location of a resource in the Authorization Decision Request. |
Requirement 24: Identifier resource-extend | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-resource-extend |
| Statement | GeoXACML 3.0 Core defines the AttributeId identifier urn:ogc:def:geoxacml:3.0:identifier:resource-extend in the XACML resource-category to indicate the boundary of a resource geometry in the Authorization Decision Request. |
Requirement 25: Identifier resource-bbox | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-resource-bbox |
| Statement | GeoXACML 3.0 Core defines the AttributeId identifier urn:ogc:def:geoxacml:3.0:identifier:resource-bbox in the XACML resource-category to indicate the BBOX of a resource in the Authorization Decision Request. |
Requirement 26: Identifier device-location | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-device-location |
| Statement | GeoXACML 3.0 Core defines the AttributeId identifier urn:ogc:def:geoxacml:3.0:identifier:device-location in the XACML environment-category to indicate the location of a device in the Authorization Decision Request. |
7.2. Requirements Class Geometry Data-Type
The standardization target for this requirements class is implementation.
The Geometry datatype is based on the definition from OGC Simple Features.
Any instance of a Geometry datatype requires a well-defined Coordinate Reference System (CRS). This Standard defines the default CRS and axis order in compliance with The GeoJSON Format as urn:ogc:def:crs:OGC::CRS84 with axis order longitude/latitude.
The coordinate tuples of a Geometry datatype must be encoded compliant with the XACML 3.0 Policy schema. GeoXACML 3.0 Core supports Well-Known-Text and Well-Known-Binary encodings.
Requirements class 2: Geometry Data-Type | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type |
| Obligation | requirement |
| Target type | Implementation |
| Prerequisites | OGC Simple Features XACML Version 3.0 |
| Normative statements | Requirement 27: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-default-crs Requirement 28: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-xacml-attribute-srid Requirement 29: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-geometry-error Requirement 30: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-srid-equal Requirement 31: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-wkt Requirement 32: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-wkb |
Requirement 27: Default CRS | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-default-crs |
| Statement | An implementation SHALL use the default CRS when constructing a Geometry instance unless the AttributeValue element contains the attribute srid in the XML namespace http://www.opengis.net/geoxacml/3.0. |
Requirement 28: XACML Attribute srid | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-xacml-attribute-srid |
| Statement | An implementation SHALL overwrite the default CRS with the definition from the XACML3 AttributeValue attribute srid defined in the XML namespace http://www.opengis.net/geoxacml/3.0. |
Requirement 29: Geometry Error | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-geometry-error |
| Statement | An implementation SHALL abort policy evaluation for any function processing a Geometry when the geometry instantiation results in an error. The resulting Authorization Response SHALL have the Decision value Indeterminate and StatusCode value urn:ogc:def:geoxacml:3.0:status:geometry-error |
Requirement 30: SRID equal | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-srid-equal |
| Statement | An implementation SHALL abort policy evaluation for any function with more than one input parameter of date-type Geometry when the SRID identifiers are not identical. The resulting Authorization Response SHALL have the Decision value Indeterminate and StatusCode value urn:ogc:def:geoxacml:3.0:status:crs-error. The StatusDetail SHALL contain a MissingAttriuteDetail element that lists all AttributeValue elements that are affected. The use of the srid attribute in namespace http://www.opengis.net/geoxacml/3.0 is mandatory to express the CRS identifier to be used. The use of the allowTransformation attribute in namespace http://www.opengis.net/geoxacml/3.0 is optional but SHALL be used to indicate that a geometry in the expressed CRS SHALL not be transformed to another CRS. <StatusDetail xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"> Example GeoXACML StatusDetail and MissingAttributeDetail to express supported CRS identifiers |
Requirement 31: WKT Encoding | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-wkt |
| Statement | An implementation SHALL support the WKT geometry encoding as defined in OGC Simple Features. |
Requirement 32: WKB Encoding | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-wkb |
| Statement | An implementation SHALL support the WKB geometry encoding as defined in OGC Simple Features and be able to construct a Geometry instance from the hex representation of the WKB’s binary value. |
7.3. Requirements Class Geometry Functions
The standardization target for this requirements class is implementation.
GeoXACML 3 Core supports functions on on the Geometry datatype as defined in OGC Simple Features section 6.1.2.2, 6.1.2.3 and the function “Distance” from section 6.1.2.4.
In addition, GeoXACML 3 Core supports functions on the Geometry datatype mandated by XACML Version 3.0.
7.3.1. Requirement Function Dimension
Requirement 33: Function Dimension | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-dimension |
| Obligation | requirement |
| Statement | This function SHALL have the signature Dimension(this:Geometry):Integer and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-dimension This function SHALL be compliant with Dimension():Integer as defined in OGC Simple Features, section 6.1.2.2. |
7.3.2. Requirement Function GeometryType
Requirement 34: Function GeometryType | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-type |
| Obligation | requirement |
| Statement | This function SHALL have the signature GeometryType(this:Geometry):String and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-type This function SHALL be compliant with GeometryType():String as defined in OGC Simple Features, section 6.1.2.2. |
7.3.3. Requirement Function IsEmpty
Requirement 35: Function IsEmpty | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-is-empty |
| Obligation | requirement |
| Statement | This function SHALL have the signature IsEmpty(this:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-is-empty This function SHALL be compliant with IsEmpty():Integer as defined in OGC Simple Features, section 6.1.2.2. This function SHALL return the value False if IsEmpty() returns the value 0 and the value True otherwise. |
7.3.4. Requirement Function IsSimple
Requirement 36: Function IsSimple | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-is-simple |
| Obligation | requirement |
| Statement | This function SHALL have the signature IsSimple(this:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-is-simple This function SHALL be compliant with IsSimple():Integer as defined in OGC Simple Features, section 6.1.2.2. This function SHALL return the value False if IsSimple() returns the value 0 and the value True otherwise. |
7.3.5. Requirement Function SRID
Requirement 37: Function SRID | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-srid |
| Obligation | requirement |
| Statement | This function SHALL have the signature SRID(this:Geometry):Integer and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-srid This function SHALL be compliant with SRID():Integer as defined in OGC Simple Features, section 6.1.2.2. |
7.3.6. Requirement Function SRIDEquals
Requirement 38: Function SRIDEquals | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-srid-equals |
| Obligation | requirement |
| Statement | This function SHALL have the signature SRIDEquals(srid:Integer,this:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-srid-equals This function SHALL return True if the geometry’s SRID is identical to the given srid parameter and False otherwise. |
7.3.7. Requirement Function EnsureSRID
Requirement 39: Function EnsureSRID | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-ensure-srid |
| Obligation | requirement |
| Statement | This function SHALL have the signature EnsureSRID(srid:Integer,this:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-ensure-srid This function SHALL return a geometry where the srid parameter is used to calculate the coordinate values. This function SHALL raise an Indeterminate exception with StatusCode value urn:ogc:def:geoxacml:3.0:identifier:crs-error if the output geometry could not be created. The MissingAttributeDetail element SHALL be used to list the AttributeValue with acceptable SRID values. The AttributeValue value SHALL be empty. When this function is implemented as part of the Core conformance, this function basically asserts that the geometry’s srid value equals a give value. When this function is implemented as part of the CRS Transformation conformance, this function SHALL attempt to do a CRS transformation on the geometry with the target CRS identified by the srid parameter. |
7.3.8. Requirement Function Precision
Requirement 40: Function Precision | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-precision |
| Obligation | requirement |
| Statement | This function SHALL have the signature Precision(this:Geometry):Integer and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-precision This function SHALL return a http://www.w3.org/2001/XMLSchema#integer value that is the geometry’s precision. |
7.3.9. Requirement Function HasPrecision
Requirement 41: Function HasPrecision | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-has-precision |
| Obligation | requirement |
| Statement | This function SHALL have the signature HasPrecision(precision:Integer,this:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-has-precision This function SHALL return a http://www.w3.org/2001/XMLSchema#boolean. The function SHALL evaluate to True if and only if the value of the first argument is less or equal to the precision of the geometry represented by the second argument. |
7.3.10. Requirement Function EnsurePrecision
Requirement 42: Function EnsurePrecision | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-ensure-precision |
| Obligation | requirement |
| Statement | This function SHALL have the signature EnsurePrecision(precision:Integer,this:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-ensure-precision This function SHALL return a geometry where the precision parameter is used to calculate the coordinate values. This function SHALL raise an Indeterminate exception with StatusCode value urn:ogc:def:geoxacml:3.0:status:precision-error if the precision parameter requests higher precision than given by the input geometry (in other words, the requested precision cannot be reached). The MissingAttributeDetail element SHALL be used to list the AttributeValue with maximum possible precision value. The AttributeValue value SHALL be empty. |
7.3.11. Requirement Function Length
Requirement 43: Function Length | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-length |
| Obligation | requirement |
| Statement | This function SHALL have the signature Length(this:Geometry):Double and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-length This function SHALL be compliant with Length():Double as defined in OGC Simple Features, section 6.1.3.2. |
7.3.12. Requirement Function Area
Requirement 44: Function Area | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-area |
| Obligation | requirement |
| Statement | This function SHALL have the signature Area(this:Geometry):Double and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-area This function SHALL be compliant with Area():Double as defined in OGC Simple Features, section 6.1.10.2. |
7.3.13. Requirement Function Distance
Requirement 45: Function Distance | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-distance |
| Obligation | requirement |
| Statement | This function SHALL have the signature Distance(this:Geometry,another:Geometry):Double and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-distance This function SHALL be compliant with Distance(another:Geometry):Double as defined in OGC Simple Features, section 6.1.2.4. |
7.3.14. Requirement Function HasDistance
Requirement 46: Function HasDistance | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-has-distance |
| Obligation | requirement |
| Statement | This function SHALL have the signature HasDistance(distance:Double,this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-distance-equals This function is a convenience function to evaluate the distance between geometries using the function Distance(another:Geometry):Double as defined in OGC Simple Features, section 6.1.2.4. This function SHALL return true value if the given distance equals the distance between the two geometries. |
7.3.15. Requirement Function IsWithinDistance
Requirement 47: Function IsWitinDistance | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-is-within-distance |
| Obligation | requirement |
| Statement | This function SHALL have the signature IsWithinDistance(d:Double,this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-is-within-distance This function SHALL be compliant with IsWitinDistance():Boolean as defined in Java Topology Suite - isWithinDistance(). |
7.4. Requirements Class Spatial Relations Functions
Definitions of testing functions on on the Geometry datatype as defined in OGC Simple Features section 6.1.2.3.
7.4.1. Requirement Function Equals
Requirement 48: Function Equals | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-equals |
| Obligation | requirement |
| Statement | This function SHALL have the signature Equals(this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-equals This function SHALL be compliant with Equals(Geometry):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Equals() returns the value 0 and the value True otherwise. |
7.4.2. Requirement Function Disjoint
Requirement 49: Function Disjoint | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-disjoint |
| Obligation | requirement |
| Statement | This function SHALL have the signature Disjoint(this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-disjoint This function SHALL be compliant with Disjoint(Geometry):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Disjoint() returns the value 0 and the value True otherwise. |
7.4.3. Requirement Function Intersects
Requirement 50: Function Intersects | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-intersects |
| Obligation | requirement |
| Statement | This function SHALL have the signature Intersects(this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-intersects This function SHALL be compliant with Intersects(Geometry):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Intersects() returns the value 0 and the value True otherwise. |
7.4.4. Requirement Function Touches
Requirement 51: Function Touches | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-touches |
| Obligation | requirement |
| Statement | This function SHALL have the signature Touches(this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-touches This function SHALL be compliant with Touches(Geometry):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Touches() returns the value 0 and the value True otherwise. |
7.4.5. Requirement Function Crosses
Requirement 52: Function Crosses | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-crosses |
| Obligation | requirement |
| Statement | This function SHALL have the signature Crosses(this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-crosses This function SHALL be compliant with Crosses(Geometry):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Crosses() returns the value 0 and the value True otherwise. |
7.4.6. Requirement Function Within
Requirement 53: Function Within | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-within |
| Obligation | requirement |
| Statement | This function SHALL have the signature Within(this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-within This function SHALL be compliant with Within(Geometry):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Within() returns the value 0 and the value True otherwise. |
7.4.7. Requirement Function Contains
Requirement 54: Function Contains | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-contains |
| Obligation | requirement |
| Statement | This function SHALL have the signature Contains(this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-contains This function SHALL be compliant with Contains(Geometry):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Contains() returns the value 0 and the value True otherwise. |
7.4.8. Requirement Function Overlaps
Requirement 55: Function Overlaps | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-overlaps |
| Obligation | requirement |
| Statement | This function SHALL have the signature Overlaps(this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-overlaps This function SHALL be compliant with Overlaps(Geometry):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Overlaps() returns the value 0 and the value True otherwise. |
7.4.9. Requirement Function Relate
Requirement 56: Function Relate | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-relate |
| Obligation | requirement |
| Statement | This function SHALL have the signature Relate(intersectionPatternMatrix:String, this:Geometry,another:Geometry):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-relate This function SHALL be compliant with Relate(Geometry,String):Integer as defined in OGC Simple Features, section 6.1.2.3. This function SHALL return the value False if Relate() returns the value 0 and the value True otherwise. |
7.5. Requirements Class Bag Functions
Definitions of XACML bag functions on the datatype Geometry as mandated by XACML Version 3.0.
7.5.1. Requirement Function GeometryOneAndOnly
Requirement 57: Function GeometryOneAndOnly | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-bag-one-and-only |
| Obligation | requirement |
| Statement | This function SHALL have the signature GeometryOneAndOnly(bag:GeometryBag):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-one-and-only This function SHALL take a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values as an argument and SHALL return a value of urn:ogc:def:geoxacml:3.0:data-type:geometry. It SHALL return the only value in the bag. If the bag does not have one and only one value, then the expression SHALL evaluate to “Indeterminate”. |
Requirement 58: Function GeometryBagSize | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-bag-size |
| Obligation | requirement |
| Statement | This function SHALL have the signature GeometryBagSize(bag:GeometryBag):Integer and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-size This function SHALL take a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values as an argument and SHALL return an http://www.w3.org/2001/XMLSchema#integer indicating the number of values in the bag. |
Requirement 59: Function GeometryIsIn | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-is-in-bag |
| Obligation | requirement |
| Statement | This function SHALL have the signature GeometryIsIn(g:Geometry,bag:GeometryBag):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-is-in-bag The function SHALL return True if and only if the first argument matches by the urn:ogc:def:geoxacml:3.0:function:geometry-equals any value in the bag. This function SHALL return False otherwise or if the argument is an empty bag. |
Requirement 60: Function Bag | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-bag |
| Obligation | requirement |
| Statement | This function SHALL have the signature Bag(Geometry):GeometryBag and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag This function SHALL take any number of arguments of urn:ogc:def:geoxacml:3.0:data-type:geometry and return a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values containing the values of the arguments. An application of this function to zero arguments SHALL produce an empty bag of the datatype urn:ogc:def:geoxacml:3.0:data-type:geometry. |
Requirement 61: Function GeometryBagToCollection | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-geometry-bag-to-collection |
| Obligation | requirement |
| Statement | This function SHALL have the signature GeometryBagToCollection(bag:GeometryBag):GeometryCollection and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-to-collection This function SHALL return a homogeneous GeometryCollection as defined in ISO 19125 by adding each member of the bag as a geometry to the collection. This function SHALL return an Indeterminate status with value urn:ogc:def:geoxacml:3.0:status:geometry-collection-error if the bag is heterogeneous (contains geometries of different types). |
Requirement 62: Function GeometryBagFromCollection | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-geometry-bag-from-collection |
| Obligation | requirement |
| Statement | This function SHALL have the signature GeometryBagFromCollection(GeometryCollection):GeometryBag and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-from-collection This function SHALL return a bag of values of type Geometry by adding each geometry of the GeometryCollection as a member of type Geometry. |
Requirement 63: Function GeometryBagSRID | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-geometry-bag-srid |
| Obligation | requirement |
| Statement | This function SHALL have the signature GeometryBagSRID(bag:GeometryBag):Integer and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-srid This function SHALL return an Integer which value is the srid of the geometries of the bag. NOTE: Per GeoXACML definition, all geometries of a bag SHALL have the same srid value. |
Requirement 64: Function GeometryBagSRIDEquals | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-geometry-bag-srid-equals |
| Obligation | requirement |
| Statement | This function SHALL have the signature GeometryBagSRIDEquals(srid:Integer, bag:GeometryBag): Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-srid-equals This function SHALL return a True value if the srid of the bag equals the value of the srid parameter and a False value otherwise. |
7.6. Requirements Class Set Functions
Definitions of XACML set functions on the Geometry datatype as mandated by XACML Version 3.0.
Requirements class 6: XACML Bag Functions | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/xacml-set-functions |
| Obligation | requirement |
| Target type | Implementation |
| Prerequisite | XACML Version 3.0 |
| Normative statements | Requirement 66: http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-intersection Requirement 65: http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-at-least-one-member-of Requirement 67: http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-union Requirement 68: http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-subset Requirement 69: http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-set-equals |
7.6.1. Requirement Function AtLeastOneMemberOf
Requirement 65: Function BagAtLeastOneMemberOf | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-at-least-one-member-of |
| Obligation | requirement |
| Statement | This function SHALL have the signature BagAtLeastOneMemberOf(bag1:GeometryBag,bag2:GeometryBag):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-at-least-one-member-of This function SHALL take two arguments that are both a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values. It SHALL return a http://www.w3.org/2001/XMLSchema#boolean. The function SHALL evaluate to True if and only if at least one element of the first argument is contained in the second argument as determined by urn:ogc:def:geoxacml:3.0:function:geometry-is-in-bag. |
7.6.2. Requirement Function Intersection
Requirement 66: Function Intersection | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-intersection |
| Obligation | requirement |
| Statement | This function SHALL have the signature Intersection(bag1:GeometryBag,bag2:GeometryBag):GeometryBag and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-intersection This function SHALL take two arguments that are both a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values. It SHALL return a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values such that it contains only elements that are common between the two bags, which is determined by urn:ogc:def:geoxacml:3.0:function:geometry-equals. No duplicates, as determined by urn:ogc:def:geoxacml:3.0:function:geometry-equals, SHALL exist in the result. |
7.6.3. Requirement Function Union
Requirement 67: Function Union | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-union |
| Obligation | requirement |
| Statement | This function SHALL have the signature Union(bag1:GeometryBag,bag2:GeometryBag):GeometryBag and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-union This function SHALL take two arguments that are both a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values. It SHALL return a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry such that it contains all elements of all the argument bags. No duplicates, as determined by urn:ogc:def:geoxacml:3.0:function:geometry-equals, SHALL exist in the result. |
7.6.4. Requirement Function Subset
Requirement 68: Function Subset | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-subset |
| Obligation | requirement |
| Statement | This function SHALL have the signature Subset(bag1:GeometryBag,bag2:GeometryBag):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-bag-subset This function SHALL take two arguments that are both a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values. It SHALL return “True” if and only if the first argument is a subset of the second argument. Each argument SHALL be considered to have had its duplicates removed, as determined by urn:ogc:def:geoxacml:3.0:function:geometry-equals, before the subset calculation. |
7.6.5. Requirement Function SetEquals
Requirement 69: Function SetEquals | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-xacml-geometry-set-equals |
| Obligation | requirement |
| Statement | This function SHALL have the signature SetEquals(bag1:GeometryBag,bag2:GeometryBag):Boolean and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-set-equals This function SHALL take two arguments that are both a bag of urn:ogc:def:geoxacml:3.0:data-type:geometry values. It SHALL return the result of applying urn:oasis:names:tc:xacml:1.0:function:and to the application of urn:ogc:def:geoxacml:3.0:function:geometry-bag-subset to the first and second arguments and the application of urn:ogc:def:geoxacml:3.0:function:geometry-bag-subset to the second and first arguments. |
8. GeoXACML 3.0 Spatial Analysis Requirements
8.1. Requirements Class Spatial Analysis
8.1.1. Requirement Function Envelope
Requirement 70: Function Envelope | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-envelope |
| Obligation | requirement |
| Statement | This function SHALL have the signature Envelope(this:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-envelope This function SHALL be compliant with Envelope():Geometry as defined in OGC Simple Features, section 6.1.2.2 |
8.1.2. Requirement Function Boundary
Requirement 71: Function Boundary | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-boundary |
| Obligation | requirement |
| Statement | This function SHALL have the signature Boundary(this:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-boundary This function SHALL be compliant with Boundary():Geometry as defined in OGC Simple Features, section 6.1.2.2 |
8.1.3. Requirement Function Buffer
Requirement 72: Function Buffer | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-buffer |
| Obligation | requirement |
| Statement | This function SHALL have the signature Buffer(this:Geometry,distance:Double):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-buffer This function SHALL be compliant with Buffer(Double):Geometry as defined in OGC Simple Features, section 6.1.2.4 |
8.1.4. Requirement Function ConvexHull
Requirement 73: Function ConvexHull | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-convex-hull |
| Obligation | requirement |
| Statement | This function SHALL have the signature ConvexHull(this:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-convex-hull This function SHALL be compliant with ConvexHull():Geometry as defined in OGC Simple Features, section 6.1.2.4 |
8.1.5. Requirement Function GeometryIntersection
Requirement 74: Function Intersection | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-intersection |
| Obligation | requirement |
| Statement | This function SHALL have the signature Intersection(this:Geometry,another:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-intersection This function SHALL be compliant with Intersection(Geometry):Geometry as defined in OGC Simple Features, section 6.1.2.4 |
8.1.6. Requirement Function GeometryUnion
Requirement 75: Function Union | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-union |
| Obligation | requirement |
| Statement | This function SHALL have the signature Union(this:Geometry,another:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-union This function SHALL be compliant with Union(Geometry):Geometry as defined in OGC Simple Features, section 6.1.2.4 |
8.1.7. Requirement Function Difference
Requirement 76: Function Difference | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-difference |
| Obligation | requirement |
| Statement | This function SHALL have the signature Difference(this:Geometry,another:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-difference This function SHALL be compliant with Difference(Geometry):Geometry as defined in OGC Simple Features, section 6.1.2.4 |
8.1.8. Requirement Function SymDifference
Requirement 77: Function SymDifference | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-sym-difference |
| Obligation | requirement |
| Statement | This function SHALL have the signature SymDifference(this:Geometry,another:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-sym-difference This function SHALL be compliant with SymDifference(Geometry):Geometry as defined in OGC Simple Features, section 6.1.2.4 |
8.1.9. Requirement Function Centroid
Requirement 78: Function Centroid | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/functions/req-iso-geometry-centroid |
| Obligation | requirement |
| Statement | This function SHALL have the signature Centroid(this:Geometry):Geometry and the identifier as urn:ogc:def:geoxacml:3.0:function:geometry-centroid This function SHALL be compliant with Centroid():Point as defined in OGC Simple Features, section 6.1.10.2 |
9. GeoXACML 3.0 CRS Transformation Requirements
9.1. Requirements Class CRS Transformation
Requirements class 8: OGC API | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/crs-transformation |
| Obligation | requirement |
| Target type | Implementation |
| Conformance class | Conformance class 3: http://www.opengis.net/spec/geoxacml/3.0/conf/crs-transformation |
| Prerequisite | http://www.opengis.net/spec/geoxacml/3.0/req-class/core |
| Normative statements | Requirement 79: http://www.opengis.net/spec/geoxacml/3.0/req-class/crs-transformation/req-allow-transformation Requirement 80: http://www.opengis.net/spec/geoxacml/3.0/req-class/crs-transformation/req-crs-transformation |
9.1.1. Requirement Allow CRS Transformation
Requirement 79: Allow CRS Transformation | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/crs-transformation/req-allow-transformation |
| Obligation | requirement |
| Statement | The GeoXACML 3.0 CRS Transformation requirements class defines the XML attribute allowTransformation of type Boolean in namespace http://www.opengis.net/geoxacml/3.0 to be used in the AttributeValue for expressing an explicit allowance that a coordinate transformation can be applied to the comprised geometry. The default value is False. When used in an ADR, the PEP SHALL use the allowTransformation for indicating to the GeoPDP (the GeoXACML implementation) the acceptance that the geometry may get transformed to another CRS while deriving an authorization decision. When used in an AD (as part of the MissingAttributeDetail), the GeoPDP SHALL indicate to the PEP the assurance that a geometry with the indicated CRS would not be transformed to another CRS during processing. |
9.1.2. Requirement Support CRS Transformation
Requirement 80: Support CRS Transformation | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/crs-transformation/req-crs-transformation |
| Obligation | requirement |
| Statement | An implementation SHALL apply CRS transformation to avoid having to abort processing. An implementation SHALL abort processing with Decision of Indeterminate and StatusCode urn:ogc:def:geoxacml:3.0:status:crs-error if:
The StatusDetail SHALL include a MissingAttributeDetail listing the AttributeValue(s) including the srid and the allowTransformation attributes to indicate which geometry CRSs are accepted by the policy. |
10. GeoXACML 3.0 OGC API Requirements
10.1. Requirements Class OGC API
Requirements class 9: OGC API | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api |
| Obligation | requirement |
| Target type | Implementation |
| Conformance class | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api |
| Prerequisites | https://opengeospatial.github.io/ogcna-auto-review/19-072.html http://www.opengis.net/spec/geoxacml/3.0/req-class/core |
| Normative statements | Requirement 81: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-landing-page Requirement 82: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-conformance-page Requirement 83: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-openapi-page Requirement 84: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-decision Requirement 84: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-decision |
10.1.1. Requirement Landing Page
Requirement 81: Landing Page | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-landing-page |
| Obligation | requirement |
| Statement | An implementation SHALL support the path / to display general information about the implementation. An implementation SHALL support the response in JSON and HTML. An implementation SHALL return the JSON representation of the landing page when the HTTP request contains the query string parameter f=json or the HTTP header Accept: application/json. An implementation SHALL return the HTML representation of the landing page when the HTTP request contains the query string parameter f=html or the HTTP header Accept: text/html. An implementation SHALL return the HTML representation of the landing page in all other cases. |
10.1.2. Requirement Conformance Page
Requirement 82: Conformance Page | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-conformance-page |
| Obligation | requirement |
| Statement | An implementation SHALL support the path /conformance to display the supported conformance classes in format HTML or JSON. An implementation SHALL return the JSON representation of the conformance page when the HTTP request contains the query string parameter f=json or the HTTP header Accept: application/json. An implementation SHALL return the HTML representation of the conformance page when the HTTP request contains the query string parameter f=html or the HTTP header Accept: text/html. An implementation SHALL return the HTML representation of the conformance page in all other cases. |
10.2. Requirement OpenAPI Page
Requirement 83: API Page | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-openapi-page |
| Obligation | requirement |
| Statement | An implementation SHALL support the path /api to display the OpenAPI document describing the API. An implementation SHALL return the JSON representation of the OpenAPI definition when the HTTP request contains the query string parameter f=json or the HTTP header Accept: application/json. An implementation SHALL return the HTML representation of the OpenAPI page when the HTTP request contains the query string parameter f=html or the HTTP header Accept: text/html. An implementation SHALL return the HTML representation of the OpenAPI definition in all other cases. |
10.2.1. Requirement GeoXACML Decision
Requirement 84: API GeoPDP | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-decision |
| Obligation | requirement |
| Statement | An implementation SHALL support the path /decision to support HTTP POST of a GeoXACML ADR compliant with the XACML 3 <Request> as defined in XACML Version 3.0 XML Schema. The response SHALL be a GeoXACML AD compliant with the XACML 3 <Response> as defined in XACML Version 3.0 XML Schema. The implementation SHALL accept the media type xacml+xml and geoxacml+xml indicating a XACML 3.0 schema compliant ADR that may contain AttributeValue elements of type Geometry. The implementation SHALL support the response media type xacml+xml and geoxacml+xml for a XACML 3.0 schema compliant AD. |
11. Media Types for any data encoding(s)
OGC has registered the MIME-Type application/geoxacml+xml with IANA: https://www.iana.org/assignments/media-types/application/geoxacml+xml
A GeoXACML policy shall be exchanged using MIME-Type application/geoxacml+xml.
Any request to the OGC GeoXACML 3.0 PDP SHALL be XACML 3.0 schema compliant but use Content-Type: application/geoxacml+xml to indicate the use of GeoXACML 3.0 defined datatype Geometry. The optional parameter version can be used to indicate the GeoXACML version. Supported value is 3.0.
A client (PEP) requesting a decision SHALL use Accept: application/geoxacml+xml to indicate that it is capable to handle GeoXACML 3.0 specific status codes.
Annex A
(normative)
Conformance Class Abstract Test Suite
This normative section defines the GeoXACML 3.0 conformance classes tests.
A.1. Conformance Class Specification (mandatory)
A.1.1. Requirements Class Specification
A.2. Conformance Class Core (mandatory)
A.2.1. Requirements Class Geometry Data-Type
Conformance test A.2 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/wkt |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 31: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-wkt |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation supports the instantiation of a AttributeValue of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry based on Well-Known-Text. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains an AttributeValue of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry with a value describing the geometry using Well-Known-Text. |
| Description | <xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry" Geometry encoding example based on WKT |
Conformance test A.3 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/wkb |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 32: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-wkb |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation supports the instantiation of a AttributeValue of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry based on Well-Known-Binary. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains an AttributeValue of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry with a value describing the geometry using WKB. |
| Description | <xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry" Geometry encoding example based on WKB |
Conformance test A.4 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/geometry-error |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 29: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-geometry-error |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation aborts processing for an AttributeValue with a value not compliant to WKT and WKB. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that processes an erroneous geometry value. Verify that the processing is aborted using the Status Code urn:ogc:def:geoxacml:3.0:status:geometry-error. |
| Description | <xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry" Geometry encoding example that results in a geometry error |
Conformance test A.5 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/geometry-error-encoding-wkt |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 29: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-geometry-error http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-xml-attribute-encoding |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation aborts processing for an AttributeValue with a value not compliant with the encoding indicated via the encoding attribute. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that processes an erroneous geometry value. Verify that the processing is aborted using the Status Code urn:ogc:def:geoxacml:3.0:status:geometry-error. |
| Description | <xacml3:AttributeValue xmlns:geoxacml="urn:ogc:def:geoxacml:3.0:data-type:geometry" Geometry encoding example that results in a geometry error |
Conformance test A.6 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/geometry-error-encoding-wkb |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 29: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-geometry-error http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-xml-attribute-encoding |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation aborts processing for an AttributeValue with a value not compliant with the encoding indicated via the encoding attribute. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that processes an erroneous geometry value. Verify that the processing is aborted using the Status Code urn:ogc:def:geoxacml:3.0:status:geometry-error. |
| Description | <xacml3:AttributeValue xmlns:geoxacml="urn:ogc:def:geoxacml:3.0:data-type:geometry" Geometry encoding example that results in a geometry error |
Conformance test A.7 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/default-crs |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 27: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-default-crs |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation supports the instantiation of a AttributeValue of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry`using the default CRS `urn:ogc:def:crs:OGC::CRS84. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains an AttributeValue of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry with a value describing the geometry using WKT or WKB and verify that the geometry SRID is equal to the default CRS. |
Conformance test A.8 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/xacml-attribute-srid |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 28: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-xacml-attribute-srid |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation uses the AttributeValue XML attribute srid in namespace http://www.opengis.net/geoxacml/3.0 when constructing the geometry. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains the following AttributeValue where the value of the srid attribute is of value 3857. Verify that the instantiated geometry has CRS EPSG:3857. |
| Description | <xacml3:AttributeValue xmlns:geoxacml="urn:ogc:def:geoxacml:3.0:data-type:geometry" Geometry encoding example based on WKT and explicit SRID definition |
Conformance test A.9 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/axis-order-crs84 |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 13: http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-axis-order |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation uses the correct axis order for CRS urn:ogc:def:crs:OGC::CRS84 which is longitude/latitude. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains an AttributeValue of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry with a value describing the geometry using WKT or WKB in CRS {CRS} and verify that the axis order is longitude/latitude. |
| Description | <xacml3:AttributeValue xmlns:geoxacml="urn:ogc:def:geoxacml:3.0:data-type:geometry" Location of Washington Monument in CRS84 |
Conformance test A.10 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/axis-order-epsg4326 |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 13: http://www.opengis.net/spec/geoxacml/3.0/req-class/specification/req-axis-order |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation uses the correct axis order for CRS EPSG:4326 which is latitude/longitude. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains an AttributeValue of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry with a value describing the geometry using WKT or WKB in CRS EPSG:4326 and verify that the axis order is latitude/longitude. |
| Description | <xacml3:AttributeValue xmlns:geoxacml="urn:ogc:def:geoxacml:3.0:data-type:geometry" Location of Washington Monument in EPSG:4326 |
Conformance test A.11 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/crs-equal |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 30: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-srid-equal |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation processes two geometries or bags of geometries encoded in the identical CRS. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains all of the Core functions where all geometry CRS, represented by their SRID value are identical. Verify that the processing was not aborted. |
Conformance test A.12 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/crs84-epsg4326 |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 30: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-srid-equal |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation supports processing of functions where parameters of type Geometry are encoded using CRS84 and EPSG:4326. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains all of the Core functions where both parameters are of type urn:ogc:def:geoxacml:3.0:data-type:geometry and the first geometry is encoded in the default CRS urn:ogc:def:crs:OGC::CRS84 and the other geometry is encoded in the CRS EPSG:4326. Repeat the test with swapping parameters. Verify that the implementation applies axis swapping and produces correct results. A paramount test function is {EQUAL} or urn:ogc:def:geoxacml:3.0:function:geometry-equals. |
| Description | <xacml3:Rule RuleId="swap-axis" Effect="Permit"> GeoXACML 3.0 Rule for testing axis-order swapping |
Conformance test A.13 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/core/crs-not-equal |
| Requirements | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core Requirement 30: http://www.opengis.net/spec/geoxacml/3.0/req-class/data-type/req-srid-equal |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml/3.0/conf/core |
| Test purpose | Verify that the implementation aborts processing by returning the StatusCode with value urn:ogc:def:geoxacml:3.0:status:crs-error when processing a function that operates on at least two geometries and their CRS definitions are not identical and where CRS transformation would be required to complete the processing. |
| Test-method-type | Unit Tests |
| Test method | Execute the implementation on a GeoXACML policy that contains all of the Core functions where both parameters are of datatype urn:ogc:def:geoxacml:3.0:data-type:geometry and processing would require a CRS transformation. Example CRS combination is EPSG:4326 and EPSG:3857. Verify that the implementation aborts processing with the status code urn:ogc:def:geoxacml:3.0:status:crs-error. |
| Description | <xacml3:Rule RuleId="swap-axis" Effect="Permit"> GeoXACML 3.0 Rule for testing CRS error |
A.2.2. Requirements Class Geometry Functions
A.2.3. Requirements Class Test Functions
A.2.4. Requirements Class Spatial Relations Functions
A.2.5. Requirements Class Spatial Analysis Functions
A.2.6. Requirements Class XACML Bag Functions
A.2.7. Requirements Class XACML Set Functions
A.3. Conformance Class Spatial Analysis (optional)
A.4. Conformance Class CRS Transformation (optional)
A.5. Conformance Class OGC API (optional)
Conformance test A.25: Landing Page Conformance Tests | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api/landing-page |
| Requirements | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api Requirement 81: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-landing-page |
| Included in | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api |
| Test purpose | Verify that the implementation renders the landing page in the formats html and json. |
| Test-method-type | Postman or Web Browser |
| Test method | Execute the root URL of the implementation and verify that the response contains the landing page in the requested format: |
| A | Use the URL query string f=html to request the HTML format of the landing page |
| B | Use the URL query string f=json to request the JSON format of the landing page |
Conformance test A.26: OpenAPI Page Conformance Tests | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api/openapi-page |
| Requirements | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api Requirement 83: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-openapi-page |
| Included in | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api |
| Test purpose | Verify that the implementation renders the OpenAPI page in the formats html and json. |
| Test-method-type | Postman or Web Browser |
| Test method | Execute the /api URL of the implementation and verify that the response contains the landing page in the requested format: |
| A | Use the URL query string f=html to request the HTML format of the OpenAPI page |
| B | Use the URL query string f=json to request the JSON format of the OpenAPI page |
Conformance test A.27: Conformance Page Conformance Tests | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api/conformance-page |
| Requirements | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api Requirement 82: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-conformance-page |
| Included in | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api |
| Test purpose | Verify that the implementation renders the Conformance page in the formats html and json. |
| Test-method-type | Postman or Web Browser |
| Test method | Execute the /conformance URL of the implementation and verify that the response contains the conformance page in the requested format: |
| A | Use the URL query string f=html to request the HTML format of the conformance page |
| B | Use the URL query string f=json to request the JSON format of the conformance page |
Conformance test A.28: Decision Endpoint Conformance Tests | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api/decision-endpoint |
| Requirements | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api Requirement 84: http://www.opengis.net/spec/geoxacml/3.0/req-class/ogc-api/req-api-decision |
| Included in | Conformance class 4: http://www.opengis.net/spec/geoxacml/3.0/conf/ogc-api |
| Test purpose | Verify that the implementation accepts ADR via HTTP POST and Content-Type application/geoxacml+xml and application/geoxacml+json if supported on the /decision path. |
| Test-method-type | Postman or Web Browser |
| Test method | Execute a HTTP POST request with a compliant ADR to the path /decision using the following HTTP Headers: |
| A | Content-Type: application/geoxacml+xml (mandatory) |
| B | Content-Type: application/geoxacml+json (optional) but mandatory if the implementation is compliant to GeoXACML 3.0 JSON Profile v1.0 |
Annex B
(informative)
Conformance Summary
This appendix lists all identifiers and their conformance classes.
B.1. Conformance Class Core
B.1.1. GeoXACML Data-type Geometry
urn:ogc:def:geoxacml:3.0:data-type:geometry
B.1.2. GeoXACML Functions Prefix
urn:ogc:def:geoxacml:3.0:function
B.1.3. GeoXACML Identifier Prefix
urn:ogc:def:geoxacml:3.0:identifier
B.1.4. GeoXACML Status Code Prefix
urn:ogc:def:geoxacml:3.0:status
B.1.5. GeoXACML Error Codes
urn:ogc:def:geoxacml:3.0:status:crs-error
urn:ogc:def:geoxacml:3.0:status:geometry-error
urn:ogc:def:geoxacml:3.0:status:geometry-collection-error
urn:ogc:def:geoxacml:3.0:status:precision-error
B.1.6. GeoXACML Attribute Identifiers
urn:ogc:def:geoxacml:3.0:identifier:subject-location
urn:ogc:def:geoxacml:3.0:identifier:device-location
urn:ogc:def:geoxacml:3.0:identifier:resource-location
urn:ogc:def:geoxacml:3.0:identifier:resource-extend
urn:ogc:def:geoxacml:3.0:identifier:resource-bbox
B.1.7. GeoXACML Default CRS
urn:ogc:def:crs:OGC::CRS84
B.1.8. GeoXACML XML element AttributeValue attributes
XML namespace: http://www.opengis.net/geoxacml/3.0
XML attribute: srid
XML attribute: precision
XML attribute: encoding
B.1.9. Geometry Functions
urn:ogc:def:geoxacml:3.0:function:geometry-dimension
urn:ogc:def:geoxacml:3.0:function:geometry-type
urn:ogc:def:geoxacml:3.0:function:geometry-is-empty
urn:ogc:def:geoxacml:3.0:function:geometry-is-simple
urn:ogc:def:geoxacml:3.0:function:geometry-srid
urn:ogc:def:geoxacml:3.0:function:geometry-srid-equals
urn:ogc:def:geoxacml:3.0:function:geometry-ensure-srid
urn:ogc:def:geoxacml:3.0:function:geometry-precision
urn:ogc:def:geoxacml:3.0:function:geometry-has-precision
urn:ogc:def:geoxacml:3.0:function:geometry-ensure-precision
B.1.10. Topology Predicates
urn:ogc:def:geoxacml:3.0:function:geometry-equals
urn:ogc:def:geoxacml:3.0:function:geometry-disjoint
urn:ogc:def:geoxacml:3.0:function:geometry-intersects
urn:ogc:def:geoxacml:3.0:function:geometry-touches
urn:ogc:def:geoxacml:3.0:function:geometry-crosses
urn:ogc:def:geoxacml:3.0:function:geometry-within
urn:ogc:def:geoxacml:3.0:function:geometry-contains
urn:ogc:def:geoxacml:3.0:function:geometry-overlaps
urn:ogc:def:geoxacml:3.0:function:geometry-relate
B.1.11. Analysis Functions
urn:ogc:def:geoxacml:3.0:function:geometry-length
urn:ogc:def:geoxacml:3.0:function:geometry-area
urn:ogc:def:geoxacml:3.0:function:geometry-distance
urn:ogc:def:geoxacml:3.0:function:geometry-distance-equals
urn:ogc:def:geoxacml:3.0:function:geometry-is-within-distance
B.1.12. XACML Bag / Set Functions
urn:ogc:def:geoxacml:3.0:function:geometry-bag-one-and-only
urn:ogc:def:geoxacml:3.0:function:geometry-bag-size
urn:ogc:def:geoxacml:3.0:function:geometry-is-in-bag
urn:ogc:def:geoxacml:3.0:function:geometry-bag
urn:ogc:def:geoxacml:3.0:function:geometry-bag-to-collection
urn:ogc:def:geoxacml:3.0:function:geometry-bag-from-collection
urn:ogc:def:geoxacml:3.0:function:geometry-bag-at-least-one-member-of
urn:ogc:def:geoxacml:3.0:function:geometry-bag-intersection
urn:ogc:def:geoxacml:3.0:function:geometry-bag-union
urn:ogc:def:geoxacml:3.0:function:geometry-bag-subset
urn:ogc:def:geoxacml:3.0:function:geometry-set-equals
B.2. Conformance Class Spatial Analysis
B.2.1. Analysis Functions
urn:ogc:def:geoxacml:3.0:function:geometry-envelope
urn:ogc:def:geoxacml:3.0:function:geometry-boundary
urn:ogc:def:geoxacml:3.0:function:geometry-buffer
urn:ogc:def:geoxacml:3.0:function:geometry-convex-hull
urn:ogc:def:geoxacml:3.0:function:geometry-intersection
urn:ogc:def:geoxacml:3.0:function:geometry-union
urn:ogc:def:geoxacml:3.0:function:geometry-difference
urn:ogc:def:geoxacml:3.0:function:geometry-sym-difference
urn:ogc:def:geoxacml:3.0:function:geometry-centroid
B.3. Conformance Class CRS Transformation
B.3.1. GeoXACML XML element AttributeValue attribute
XML namespace: http://www.opengis.net/geoxacml/3.0
XML attribute: allowTransformation
Annex C
(informative)
Issues and how they are resolved
Different conceptual issues were identified while creating the GeoXACML 3.0 Standard. This appendix explains the issues and how the issues got resolved.
C.1. Issue: Default CRS
The GeoXACML 3.0 Standard defines the Well-Known-Text (WKT) “string” and Well-Known-Binary (WKB) “hex-string” representation of a geometry. The WKT and WKB encoding does not include the value of the CRS that was used to calculate the values of the coordinates.
To support the WKT and WKB encoding of geometries, as specified in OGC Simple Features, the GeoXACML Core defines a default CRS. This default CRS is the same as the CRS defined in The GeoJSON Format.
Even though the definition of a default CRS ensures straight interoperability, a default CRS reduces flexibility where alternative CRS definitions are more appropriate. XACML defines two XML elements in XACML Version 3.0 XML Schema that allow specifying default key values:
<PolicySetDefaults> allows setting a default for the given key that is valid within the realm of a <PolicySet>; and
<PolicyDefaults> allows setting a default for the given key that is valid within the realm of a <Policy>.
It would be good if the GeoXACML core could specify a <CRS> element that contains the default CRS identifier for the scope of the <PolicySet> or <Policy> would be good. Unfortunately, XACML does not define these elements to be extendable:
<xs:element name="PolicySetDefaults" type="xacml:DefaultsType"/>
<xs:element name="PolicyDefaults" type="xacml:DefaultsType"/>
<xs:complexType name="DefaultsType">
<xs:sequence>
<xs:choice>
<xs:element ref="xacml:XPathVersion"/>
</xs:choice>
</xs:sequence>
</xs:complexType>
<xs:element name="XPathVersion" type="xs:anyURI"/>
Figure C.1 — XACML Schema definition for the <PolicySetDefaults> and <PolicyDefaults>
To overcome the limitation of using the default CRS, any GeoXACML Policy or Authorization Decision Request (in XML) can override the default CRS by leveraging the AttributeValue attribute geoxacml:srid.
<xacml3:AttributeValue xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
geoxacml:srid="4326"
>POINT(38.889444 -77.035278)</xacml3:AttributeValue>
Figure C.2 — Geometry encoding example based on WKT and explicit SRID definition
C.2. Issue: CRS Processing Error
A GeoXACML 3.0 implementation can process multiple geometries in one function. In the case where the AttributeValue carries an explicit SRID definition, an implementation may have to abort processing when the SRID definition is not known, mis-understood or a coordinate transformation based upon the CRS results in an error. Furthermore, failure is possible for any function that has two or more parameters of type Geometry may fail when applying a coordinate transformation.
To signal that the cause is based on one or multiple SRID definitions, GeoXACML Core 3.0 defines the StatusCode value urn:ogc:def:geoxacml:3.0:status:crs-error.
To indicate the cause of the processing error, an application may list the involved SRIDs in the StatusDetail using the MissingAttributeDetail. The following example illustrates such a case.
<xacml3:Response xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd">
<xacml3:Result>
<xacml3:Decision>Indeterminate</xacml3:Decision>
<xacml3:Status>
<xacml3:StatusCode Value="urn:ogc:def:function:geoxacml:3.0:geometry-error"/>
<xacml3:StatusMessage>Geometry must be encoded using specified SRID</xacml3:StatusMessage>
<xacml3:StatusDetail>
<xacml3:MissingAttributeDetail
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry">
<xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
geoxacml:srid="3857"/>
</xacml3:MissingAttributeDetail>
</xacml3:StatusDetail>
</xacml3:Status>
</xacml3:Result>
</xacml3:Response>
Figure C.3 — GeoXACML Response indicating processing error caused by SRID
NOTE: The allowTransformation={True|False} can occur on an AttributeValue element contained in a XACML Policy or Authorization Decision Request. When the allowTransformation=True is present in the policy, the policy writer indicates explicit agreement that a coordinate transformation can take place. When the allowTransformation=True is present in an Authorization Decision Request, the PEP indicates explicit consent that the provided geometry may undergo a coordinate transformation while deriving an authorization decision.
C.3. Issue: XACML bag/set of geometries vs. GeometryCollection
OGC Simple Features, §6.1.3 defines a GeometryCollection as follows: “A GeometryCollection is a geometric object that is a collection of some number of geometric objects.” with the following constraint: “All the elements in a GeometryCollection shall be in the same Spatial Reference System. This is also the Spatial Reference System for the GeometryCollection.”
OGC Simple Features, §7.2.2 defines the Well-Known-Text encoding of a GeometryCollection.
Operations on an OGC Simple Features geometry instance may involve a GeometryCollection. For example, the ConvexHull method may return an empty GeometryCollection if the input geometry has zero points (is empty). Also, operations like Intersection or Union allow the processing of or result in a GeometryCollection.
XACML Version 3.0, §7.3.2 defines a bag of attributes as follows: “XACML defines implicit collections of its data types. XACML refers to a collection of values that are of a single data-type as a bag. Bags of data-types are needed because selections of nodes from an XML resource or XACML request context may return more than one value.” The XACML <AttributeDesignator> and <AttributeSelector> produce a bag of attributes from an Authorization Decision Request. Also, XACML3 defines operations on a bag of attributes and on bags.
XACML Version 3.0, §A.3.10 defines bag functions and §A.3.11 defines set functions. The difference between a bag and set is that a set shall not contain any duplicates.
GeoXACML 3 Core inherits the GeometryCollection from OGC Simple Features by adopting the geometry model of the bag / set and their processing semantics from XACML Version 3.0.
In order to switch between the processing semantics from XACML 3.0 bag / set to Simple Features and vice versa, GeoXACML 3.0 Core defines the function urn:ogc:def:geoxacml:3.0:function:geometry-bag-to-collection and urn:ogc:def:geoxacml:3.0:function:geometry-bag-from-collection.
To avoid processing errors caused by a GeometryCollection containing different geometry types, the GeoXACML 3.0 Core restricts the use to homogeneous GeometryCollection. All geometries of a homogeneous GeometryCollection have the same type.
C.3.1. Example converting from XACML Bag to GeometryCollection
A Policy may specify a condition that requires an assertion of equality of all geometries in an Authorization Decision Request with a given GeometryCollection. The input to the Equals function can be a GeometryCollection but not a XACML bag of geometries as returned by the <AttributeDesignator> or <AttributeSelector>.
To calculate the GeometryCollection, the Policy writer may leverage the function urn:ogc:def:geoxacml:3.0:function:geometry-bag-from-collection as follows:
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-equals">
<!-- Result is Simple Features GeometryCollection -->
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-bag-to-collection">
<!-- Result is XACML3 bag -->
<xacml3:AttributeDesignator AttributeId="subject:location"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:access-subject"
MustBePresent="true"/>
</xacml3:Apply>
<xacml3:AttributeValue xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
>GEOMETRYCOLLECTION(Point (-122.4538755 37.8106729), POINT(-77.035278 38.889444))</xacml3:AttributeValue>
</xacml3:Apply>
</xacml3:Condition>
Figure C.4 — GeoXACML Condition that converts the XACML bag of geometries to a GeometryCollection
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
ReturnPolicyIdList="false"
CombinedDecision="false"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:access-subject">
<Attribute AttributeId="subject-location" IncludeInResult="false">
<AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry">Point (-122.4538755 37.8106729)</AttributeValue>
</Attribute>
<Attribute AttributeId="subject-location" IncludeInResult="false">
<AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry">Point (-77.035278 38.889444)</AttributeValue>
</Attribute>
</Attributes>
</Request>
Figure C.5 — GeoXACML Authorization Decision Request producing a bag of geometries
The request above produces a bag of Geometries with AttributeId value subject-location.
C.4. Issue: NULL Geometry
The GML encoding of geometry allows to defining a ‘NULL’ geometry.
GeoXACML 3 Core does support the encoding of geometries using WKT and WKB but not GML. Therefore, this issue of how to operate on a ‘NULL’ geometry must be addressed when writing a GeoXACML 3.0 GML Encoding Extension.
C.5. Issue: Circle Geometry
GeoXACML 3.0 Core does not support the geometry type Circle is not supported by GeoXACML 3.0 Core because it is not supported by the OGC Simple Features Standard. However, use cases exist that naturally would best be solved using a Circle geometry: Permit decision if the user’s location (a Point is within the coverage of a GSM Cell described by a Circle). Such a condition can be expressed by leveraging the urn:ogc:def:geoxacml:3.0:function:geometry-is-within-distance function:
<xacml3:Rule Effect="Permit" RuleId="rule:isWithinDistance">
<xacml3:Description>This rule constraints access based on a Point and distance</xacml3:Description>
<xacml3:Target/>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-is-within-distance">
<!-- distance is equal to radius in Meter because EPSG:3857 measures in 'm'-->
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">1500</xacml3:AttributeValue>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-one-and-only">
<!-- Point is center of circle -->
<xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
geoxacml:srid="3857"
>POINT(-21180911.712903 12601672.604027)</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="subject-location"
DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
Category="urn:oasis:names:tc:xacml:3.0:subject-category:access-subject"
MustBePresent="false"/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
Figure C.6 — GeoXACML Condition 'within a circle'
The above Rule fires Permit if the subject-location is within 1500m from the Washington Monument (the fictitious location of the GSM cell tower).
C.6. RFC Response: Backwards Compatibility
GeoXACML 3.0 extends the OASIS XACML 3.0 Standard. GeoXACML 1.0 extends the OASIS XACML 2.0 Standard. Because XACML 3.0 is not backwards compatible to XACML 2.0, GeoXACML 3.0 is not backwards compatible to GeoXACML 1.0. In particular, the following aspects illustrate the most important issues with backwards compatibility.
The policy structure is not backwards compatible: Any XACML 2.0 policy cannot be used with a XACML 3.0 implementation. Therefore, a GeoXACML 1.0 policy cannot be used with a GeoXACML 3.0 policy.
The AD/ADR structure is not backwards compatible: Any XACML 2.0 authorization decision / request cannot be used with a XACML 3.0 implementation.
However, GeoXACML 3.0 is using the same geometry model as GeoXACML 1.0. Therefore, any GeoXACML 1.0 policy can be transformed from the XACML 2.0 into the XACML 3.0 structure (e.g., using XSLT). When transferring a 1.0 policy to a 3.0 policy, all URN must be updated. This procedure should include a verification regarding the used CRS and a validation of the function signature.
C.7. RFC Response: Encoding
The recommendation to use the <AttributeValue> attribute encoding to separate between WKT and WKB encoded geometry values was adopted.
C.8. RFC Response: XACML 3.0 — 2017
The recommendation to update the normative reference for XACML 3.0 was adopted.
Annex D
(informative)
Revision History
Table D.1
| Date | Release | Editor | Primary clauses modified | Description |
|---|---|---|---|---|
| 2022-11-07 | 0.1 | Andreas Matheus | all | initial version |
| 2022-12-13 | 0.2 | Andreas Matheus | all | soundness of definitions |
| 2022-12-23 | 0.3 | Andreas Matheus | all | added Annex C containing a list of all identifiers per conformance class, use of AsciiDoc attributes to avoid redundancy with identifiers |
| 2023-01-10 | 0.4 | Andreas Matheus | all | applied changes from pull request |
| 2023-01-13 | 0.5 | Andreas Matheus | all | applied OGC NA-Policy to Metanorma annotations |
| 2023-02-06 | 0.6 | Andreas Matheus | all | Carl Reed comments incorporated |
| 2023-05-02 | 0.7 | Andreas Matheus | all | Comments from RFC incorporated and OGC-NA URN resolution applied |
Bibliography
[1] OGC API — Common — Part 1: Core, Draft OGC 19-072, 2022, https://opengeospatial.github.io/ogcna-auto-review/19-072.html
[2] Java Topology Suite, LocationTech, n/n, https://locationtech.github.io/jts/javadoc/org/locationtech/jts/geom/Geometry.html#isWithinDistance-org.locationtech.jts.geom.Geometry-double
[3] Java Topology Suite, LocationTech, n/n, https://locationtech.github.io/jts/javadoc/org/locationtech/jts/geom/Geometry.html