xacml-comment message

Subject: Re: [xacml-comment] About the Syntax and Semantics of<AttributeAssignment>
From: Satoshi Hada <SATOSHIH@jp.ibm.com>
To: XACML COMMENT <xacml-comment@lists.oasis-open.org>
Date: Fri, 21 Feb 2003 17:10:08 +0900

Hi,

For example, assume the attribute selector selects two text nodes
representing "Alice" and "Bob".

Then

<Policy>
...
<Obligations FulfillOn="Permit">
  <Obligation ObligationId="mail">
    <AttributeAssignment AttributeId="mailto">
      <AttributeSelector RequestContextPath="//md:email/text()"/>
    </AttributeAssignment>
  </Obligation>
</Obligations>
...
</Policy>

would result in the following:

<Response>
  <Result>
    <Decision>Permit</Decision>
    <Obligations>
      <Obligation ObligationId="mail">
        <AttributeAssignment AttributeId="mailto">
          <AttributeValue>Alice</AttributeValue>
          <AttributeValue>Bob</AttributeValue>
        </AttributeAssignment>
      </Obligation>
    </Obligations>
  </Result>
</Response>

(The "DataType" attributes are ommited)

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com


                                                                                                                                   
                      Satoshi                                                                                                      
                      Hada/Japan/IBM@IB        To:       XACML COMMENT <xacml-comment@lists.oasis-open.org>                        
                      MJP                      cc:                                                                                 
                                               Subject:  Re: [xacml-comment] About the Syntax and Semantics of                     
                      2003/02/21 12:48          <AttributeAssignment>                                                              
                                                                                                                                   
                                                                                                                                   
                                                                                                                                   




Hi,

>> In this case, <AttributeSelector> is used to specify
>> the content of the attribute assignment.
>> It seems to me that the semantics is not defined anywhere.
>> Section 5.36 should define it.

I think that, given a request context,
the <AttributeSelector> element in an <AttributeAssignment>
is evaluated using the request context,
the evaluation results in a BAG of attribute values, and
the BAG should be put in the response context.

However, I don't think that the syntax for representing
a BAG of attribute values is defined by the XACML schema.

One solution is to allow the <AttributeAssignment> element to
have multiple <AttributeValue> elements as child elements to represent
the BAG of attribute values.

The same is true for <AttributeDesignator>.

Related  comments:
The XACML spec should clarify whether the <AttributeAssignment> element
is allowed to have multiple <AttributeValue>, <AttributeSelector> and
<AttributeDesignator>
elements as child elements.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com



                      Satoshi

                      Hada/Japan/IBM@IB        To:       XACML COMMENT
<xacml-comment@lists.oasis-open.org>
                      MJP                      cc:

                                               Subject:  [xacml-comment]
About the Syntax and Semantics of <AttributeAssignment>
                      2003/02/21 10:54






Hi,

I've just found an <AttributeAssignment> element has
three kinds of child elements in Section 4.2.4.3 (Rule 3)

[095] <AttributeAssignment AttributeId=
[096] "urn:oasis:names:tc:xacml:1.0:example:attribute:mailto"
[097] DataType="http://www.w3.org/2001/XMLSchema#string";>
[098] <AttributeSelector RequestContextPath=
[099] "//md:/record/md:patient/md:patientContact/md:email"
[100] DataType="http://www.w3.org/2001/XMLSchema#string"/>
[101] </AttributeAssignment>

In this case, <AttributeSelector> is used to specify
the content of the attribute assignment.

It seems to me that the semantics is not defined anywhere.
Section 5.36 should define it.

[102] <AttributeAssignment AttributeId=
[103] "urn:oasis:names:tc:xacml:1.0:example:attribute:text"
[104] DataType="http://www.w3.org/2001/XMLSchema#string";>
[105] <AttributeValue>
[106] Your medical record has been accessed by:
[107] </AttributeValue>
[108] </AttributeAssignment>

In this case, <AttributeValue> is used to specify
the content of the attribute assignment.
Again, Section 5.36 should define the semantics.

Also, is the syntax of this <AttributeValue> element
the same as defined in the XACML schema, i.e.,
<xs:element name="AttributeValue" type="xacml:AttributeValueType"/> ???
If yes, the DataType attribute must be added (because it is REQUIRED).

[109] <AttributeAssignment AttributeId=
[110] "urn:oasis:names:tc:xacml:example:attribute:text"
[111] DataType="http://www.w3.org/2001/XMLSchema#string";>
[112] <SubjectAttributeDesignator AttributeId=
[113] "urn:osasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
[114] </AttributeAssignment>

In this case, <AttributeDesignator> is used to specify
the content of the attribute assignment.
Again, Section 5.36 should define the semantics.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com



----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>






----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>