[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml-comment] Comment on condition element
A rule may hold both a target and a condition, but 631 The <Target> element may be absent from a <Rule>. In this case, the <Rule> inherits its target 632 from the parent <Policy> element. A policy may hold a target but is not permitted to hold a condition. Why is a condition not permitted at the policy (or policy set) level? If a policy target is intended to server the function of a rule target in the absence of a target in the rule then why can a policy level condition not also be allowed? An example where this would be useful is if policy objects are identified with roles. In this context there is an over-arching policy-wide reqirement that the subject be a member of the associated role. This would probably need to be described as a condition - and most conveniently as a policy level condition. However this is not possible in the current specification. Thanks ---------------------------------------------------------------------------- David Sutton Software Architect Critical Path 42-47 Lower Mount St. Dublin 2 Ireland +353 1 241 5063 (Direct) +353 86 814 4011 (Mobile) +353 1 241 5170 (Fax) David.Sutton@criticalpath.net http://www.criticalpath.net Critical Path A global leader in Digital Communications ----------------------------------------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC