[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Implementing UNIX file system acl using xacml
Hi, I try to simplify our scenario in order to identify if the issues we encountered depends on our misunderstanding of XACML or on its expressiveness. Let me suppose to check a request that has the (integer-bag) attribute for the resource context defined as follows: <Resource> <Attribute AttributeId="attribute01" DataType="http://www.w3.org/2001/XMLSchema#integer"> <AttributeValue>2</AttributeValue> </Attribute> <Attribute AttributeId="attribute01" DataType="http://www.w3.org/2001/XMLSchema#integer"> <AttributeValue>4</AttributeValue> </Attribute> <Attribute AttributeId="attribute01" DataType="http://www.w3.org/2001/XMLSchema#integer"> <AttributeValue>2</AttributeValue> </Attribute> <Attribute AttributeId="attribute01" DataType="http://www.w3.org/2001/XMLSchema#integer"> <AttributeValue>5</AttributeValue> </Attribute> </Resource> Can I express a policy requiring that all element of the bag must be 2 or greater than 4? Namely I want to express a condition that is true if and only if for each x in the attribute holds x == 2 or x > 4. Exploiting higher order functions this property can be expressed in several ways, for example: all-of( boolean-equal True, map ( def f(x) { return (x == 2) or (x > 4) }, ResourceAttributeDesignator("attribute01") ) ) Our problem is that even if XACML supports higher order functions, We cannot express a function definition inside the policy XML. Clearly, we do not want to define an external function (e.g. using java) that implements the function "f", since this approach breaks that capability of configure the policy without changing the java code. Are my considerations correct? Since XACML language is inspired by functional languages I think that a mechanism to define functions inside the policy should be a desiderata. Roberto Guanciale Netfarm s.r.l.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]