[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Work continues ...
Hi, the simple type EffectType is only specified in the XML Schema, not in the normative text. Is there any defined behaviour for circular <VariableDefinition>s? See the appended file circvar.pol for an example. sunxacml currently produces a stack overflow. Maybe it would be sane to require an "Indeterminate" result. See section 7.7, which is currently silent about this issue. Please check the whole standard for instances where the XML Schema deviates from the normative text, but is more correct than the normative text. Especially the [Optional] text where [Any Number] is meant. 5.28 has a bug. If a <Function> element has an <Apply> with a bag function as parent, this doesn't necessarily mean that the function is applied to all elements of the bags. (hint: any-of-any) Please remove this redundant and harmful statement. In section 5.29, you mention some explicit cases where an <AttributeDesignator> MAY appear. This doesn't imply anything, but it sounds like you wanted to say that an <AttributeDesignator> SHALL NOT appear directly in a <VariableDefinition>, for example. By the way, the normative text often misses to state the data type of the element's attributes, for example in 5.29. 5.31 misses to state that an <AttributeValue> is an <Expression>. The normative text should be aligned to the XML Schema fragment. What is the difference between "... element has the following ..." and "... element contains the following ..."? Why are two different forms used here? Since you decided to drop the two distinct namespaces (xacml and xacml-context), why are all XACML elements still prefixed with "xacml:"? Isn't that redundant? 5.37: The XML Schema fragment allows arbitrary XML content, while the normative text ("notational placeholder for additional /attributes/") sounds a bit more restrictive. Is that restriction really intended? Does 5.40 imply that a Deny-biased PEP (7.1.2) may silently discard any obligations that have Effect="Deny"? In 5.45, you should double-check whether the word "rule" really means the one defined in the glossary or not. 5.46: <AttributeValue> is an element, not an attribute. To be continued ... Roland
<?xml version="1.0" encoding="UTF-8"?> <Policy PolicyId="urn:uuid:id0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"> <Target/> <VariableDefinition VariableId="var1"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-add"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1</AttributeValue> <VariableReference VariableId="var2"/> </Apply> </VariableDefinition> <VariableDefinition VariableId="var2"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-add"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1</AttributeValue> <VariableReference VariableId="var1"/> </Apply> </VariableDefinition> <Rule RuleId="urn:uuid:id1" Effect="Permit"> <Target/> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1</AttributeValue> <VariableReference VariableId="var2"/> </Apply> </Condition> </Rule> </Policy>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]