[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Suggested core changes for Attribute by-value queries
Working off of the last call PDF: http://www.oasis-open.org/apps/org/workgroup/security/download.php/7737 1002-1066: We merge the AttributeDesignator and Attribute elements/types into a single Attribute element and AttributeType type that is structurally identical to the derived version we have now (permits 0 to many AttributeValue elements). This would be used anywhere we currently refer to AttributeDesignator. A value-less element is interpreted based on context. In a request or metadata situation, no values implies no requirements with respect to specific values. In an AttributeStatement, no values means the attribute has no values, as the text says now. We should be explicit about this, since Attribute could get used somewhere else and that new use should be clear on what the meaning is. 1633: AttributeQuery would contain 0 or more Attribute elements. As now, zero indicates that all attributes and values should be returned subject to policy. No Attribute with the same NameFormat and Name can appear twice in a single query (enforced in prose, allows sequential processing of attributes with undefined behavior if you violate the rule). An Attribute with no values is a query for all applicable values of that Attribute, subject to policy. An Attribute with one or more values in the query means that only the named values can be in the assertion(s) returned. Not all the values named nor all the Attributes named need be returned, just as is true now. Regarding value comparisons, I would suggest text that says in the absence of an attribute profile stating otherwise, value comparison should be based on XML "equality" in the strictest sense. What goes in must come out. We don't need to state it, but the obvious implementation would be to just copy the Attribute elements into a template statement and then go through pruning any attributes or values not held or not permitted to release. That way we get more power, and easier code. ;-) I think that's it. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]