an idea about XACML Admin Draft

[xiaofeng <xiaofeng03@iscas.cn>]

Dear XACML Committee,

During reading and using XACML Administrative policy draft (thanks Mr. Erik Rissanen patiently 
help me precisely understanding the draft) , I feel the policy/policyset type definition 
and the deletage in rule matching processing is not clear. I think changing some definitions maybe
make it clearer. My ideas are following.

Adding an attribute in policyset and policy. The attribute likes :
<xs:attribute name=¡±PolicyType¡± type=¡±xacml:policyType¡± use=¡±required¡±>

The value of policytype maybe Access, Administrative and both.
Access and both mean the policy/set is applied to access request.
Administrative and both mean the policy/set is applied to adminstrative request.

The AllowAccessRequest attribute of Delegates could be deleted.

If policytype is access , it is never match administrative request.
If policytype is administraitve, it is never match access request.
If policytype is both, request is access request the delegate is missing.

Then,the delegates processing idea is same as Subjects, Resources etc. If the policy/set is administrative policy ,for an 
administrative request, it means there is no constraint or any delegate. The rule evaluation processsing almost
same as xacml core,except adding delegate matching,but which is same as Subjects etc.


Another virtue is we could hierarchically describing constraints on delegate through policyset, policy and rule.


Best Regards

-----------------------------------------------------------------------
Li XiaoFeng
Email:xiaofeng03 (at) iscas (dot) cn
      lxf (at) is (dot) iscas (dot) ac (dot) cn
Department:LOIS,Institute of Software Chinese Academy of Sciences
Address:4# South Fourth Street, Zhong Guan Cun, Beijing,P.R. CHINA
-----------------------------------------------------------------------
2006.08.4