OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AW: [xacml-comment] just on little questions

thanks for the quick reply.
Good to hear that it is only a design recommendation to separate Matches for
different attribute categories under different AnyOf elements.
Maybe a little note when explaining the examples might help understanding
the reasoning behind this design recommendation.

If I may remark, I am not sure at all if it is a good idea to define targets
that way? You said that this helps managing/editing policies. How exactly? I
assume you mean that the rules become more readable. First this assumes that
you edit your policies in a text editor. Second I am wondering why you are
not using comments. Adding unnecessary and/or statements around the real
formula just for readability reasons, seems to be a very unclean solution.

Regards
Jan



> -----Ursprüngliche Nachricht-----
> Von: Ludwig Seitz [mailto:ludwig@axiomatics.com]
> Gesendet: Freitag, 14. August 2009 10:12
> An: Jan Herrmann
> Cc: xacml-comment@lists.oasis-open.org
> Betreff: Re: [xacml-comment] just on little questions
> 
> On Fri, 2009-08-14 at 09:55 +0200, Jan Herrmann wrote:
> > Hi all,
> >
> > Just a one little question:
> >
> >
> >
> > In XACML v.3.0 examples (e.g. in the XACML 3.0 core and hierarchical
> > RBAC profile line 241) you always open and close AnyOf elements after
> > each indicidual match element. I don’t understand why this is done
> > this way and as I saw it in various examples I wonder if it is done
> > with some special purpose. From my point of view the same could be
> > done with only one <AnyOf> element under target that has under its
> > only AllOf child all the Match elements.
> >
> >
> 
> It a sort of leftover from XACML 2.0 (although I think it makes sense,
> as I'll explain shortly).
> 
> The AnyOf elements in 2.0 where named Subjects, Resources, Actions and
> Environments and would contain only Subject, Resource etc Matches.
> 
> Although it's possible in 3.0 to throw all Match elements under one
> AnyOf/AllOf or make a DNF, I believe it's better to keep on doing as in
> XACML 2.0 and separate Matches for different attribute categories under
> different AnyOf elements. The performance hit is minimal (if any), and
> managing/editing policies is greatly simplified if the Matches are
> cleanly separated.
> 
> /Ludwig
> 
> 
> --
> Ludwig Seitz, PhD             |   Axiomatics AB
> Training & Development        |   Electrum 223
> Phone: +46 (0)703 83 08 00    |   S-164 40 Kista, Sweden
> Mail: ludwig@axiomatics.com   |

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]