[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] Comment on condition element
David, I'm sorry we did not respond to you earlier. I hope this answers your questions. Anne On 10 December, David Sutton writes: [xacml-comment] Comment on condition element > A rule may hold both a target and a condition, but > > 631 The <Target> element may be absent from a <Rule>. In this case, the > <Rule> inherits its target > 632 from the parent <Policy> element. > > A policy may hold a target but is not permitted to hold a condition. > > Why is a condition not permitted at the policy (or policy set) level? A "policy" or "policy set" is simply a structure for aggregating rules, along with information about how to resolve conflicts between the results of the rules. If you want a condition at the policy or policy set level, include a rule. > If a policy target is intended to server the function of a rule target in > the absence of a target in the rule then why can a policy level condition > not also be allowed? There may be many rules that apply to the same target, so we allowed a rule to inherit the policy target rather than having to repeat the target in each rule. > An example where this would be useful is if policy objects are identified > with roles. In this context there is an over-arching policy-wide reqirement > that the subject be a member of the associated role. This would probably > need to be described as a condition - and most conveniently as a policy > level condition. However this is not possible in the current specification. You could make the role requirement part of the target of of the policy. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC