[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] Improvements and Additions in XACML 3.0
One of the useful features of the multi-decision capability is the ability to hold some attribute values constant while varying other attribute values. For example, suppose you want to display a menu which contains only the things the current user is allowed to do. You could make a multi-decision request containing constant Subject and Environment Attributes while specifying a number of distinct Resource and Action values which correspond to each menu item. The same pattern can be used for any kind of collection, for example whether a bunch of different users can access the same file, whether a user can do the same thing at different times of day or from different locations, etc. As Erik Rissanen pointed out, not only does the multi-decision cut down on the number and size of requests, but a clever PDP can optimize a single multi-decision more effectively than a series of single decisions by reusing partial results, caching attribute values, etc. Hal > -----Original Message----- > From: Ludwig Seitz [mailto:ludwig@sics.se] > Sent: Wednesday, August 21, 2013 4:32 AM > To: Junaid Sarfraz > Cc: xacml-dev@lists.oasis-open.org > Subject: Re: [xacml-dev] Improvements and Additions in XACML 3.0 > > On Wed, 2013-08-21 at 01:10 -0700, Junaid Sarfraz wrote: > > Dear xacml-dev, > > > > > > 1- Can you please tell me about what improvements are made in > > following functions... > > > > > > urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal > > urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal > > urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration > > > The datatypes changed from > "http://www.w3.org/TR/2002/WD4110xquery-operators- > 20020816#dayTimeDuration" > > to > > "http://www.w3.org/2001/XMLSchema#dayTimeDuration”; > > as W3C renamed the identifiers. That's why the function definitions had > to change > > > > > 2- And also give me good example of multiple decision profile in > > (Request Context). > > Simple example: A subject Alice asks for read and write permissions on > a file R. The multiple decision request according to section 2.3 of the > profile would be (simplified identifiers): > > > > <Request> > <Attributes Category="access-subject"> > <Attribute AttributeId="subject-id"> > <AttributeValue DataType="string">Alice/AttributeValue> > </Attribute> > </Attributes> > <Attributes Category="resource"> > <Attribute AttributeId="resource-id"> > <AttributeValue DataType="string">R</AttributeValue> > </Attribute> > </Attributes> > <Attributes Category="action"> > <Attribute AttributeId="action-id"> > <AttributeValue DataType="string">read</AttributeValue> > </Attribute> > </Attributes> > <Attributes Category="action"> > <Attribute AttributeId="action-id"> > <AttributeValue DataType="string">write</AttributeValue> > </Attribute> > </Attributes> > </Request> > > > Hope it helps, > > > Ludwig Seitz > > -- > Ludwig Seitz, PhD > SICS Swedish ICT AB > Ideon Science Park > Building Beta 2 > Scheelevägen 17 > SE-223 70 Lund > > Phone +46(0)70-349 92 51 > http://www.sics.se > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]