OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml-comment] RE: XACML questions ...


Gene - I'll pass your questions on to the XACML comment list, in order to ensure that they get recorded and addressed, and that any lack of clarity is corrected.
 
Basically, attributes of subjects, resources and actions (but not environment) may appear in a policy's target.  A policy is applicable to a request if at least one of its subject matches is true AND at least one of its resource matches is true AND at least on of its action matches is true.  AttributeSelector may be used in any of these match types.  In the case of a subject match, for instance, the "context" node for the XPath expression is xacml-context/Subject.  And similarly for the other types.
 
On the other hand, AttributeSelector may also be used in an Apply element to define an argument to an expression.  In this case, the "context" node for the XPath expression is the whole xacml:context.  So, it can select any attribute of any entity (subject, resource, action or environment), but it has to explicitly indicate which type of entity is intended.
 
Hope this helps.  All the best.  Tim.
-----Original Message-----
From: Gene Thurston [mailto:gthurston@amberpoint.com]
Sent: Wednesday, November 20, 2002 8:21 PM
To: 'Tim Moses'
Subject: XACML questions ...

Hi Tim,

 

I was working with the latest XACML draft, and I had a few questions, mostly around the optional XPath capability outlined in it:

 

  1. Why is there no <EnvironmentMatch>, similar to <SubjectMatch>, <ResourceMatch>, and <ActionMatch>?
  2. When used inside a <SubjectMatch> element, is the XPath expression found in the <AttributeSelector> evaluated over the entire context document, or just over the <Subjects> sub-tree? 
  3. Same question for <ResourceMatch> and <ActionMatch>?
  4. If the answer to the above is that the XPath expressions are always evaluated over the entire context document, then what are the semantics if such an expression inside, say, a <SubjectMatch> element evaluates to something outside the <Subjects> sub-tree?  Is this just, “OK” (as I suspect), or is there supposed to be something special about the fact that it was inside a <SubjectMatch> so we shouldn’t match anything outside the subject’s attributes?
  5. If it is “OK”, then there is no difference between <SubjectMatch>, <ResourceMatch>, or <ActionMatch>, and perhaps there should be a generic <AttributeSelectorMatch> or something similar?

 

I would much appreciate any clarifications here.

 

Thanks,

 

- Gene Thurston -

AmberPoint, Inc.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC