[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Proposed resolution to MI-1-03: Definition and purpose ofTarget
Based on the March 2002 Face-to-Face, I believe this issue, which
has no champion, is ready to be closed.
Resolution: a <target> element consists of three predicates over
elements in a SAML access decision request: one over Subject, one
over Resource, and one over Action. Any of these predicates may
be universal in that they may result in "true" for "anySubject",
"anyResource", or "anyAction".
the <target> element in a <rule>, <policyStatement>, or
<policyCombinationStatement> has two purposes. First, it allows
<rule>s, <policyStatement>s, and <policyCombinationStatement>s to
be indexed based on their applicable subject, resource, and/or
action. Second, it allows a PDP to quickly and efficiently
reduce the set of <rule>s, <policyStatement>s, and
<policyCombinationStatement>s that must be evaluated in response
to a given access decision request.
These intended purposes place three restrictions on what can be
included in a <target>. First, the predicates in a <target> must
be very efficient to evaluate. Second, each predicate in a
<target> must refer to only one of <subject>, <resource>, and
<action> (for indexing purposes). Third, each predicate in a
<target> must refer only to attributes that will always be
present in a SAML access decision request, since a <target> must
not return a result of "indeterminate".
In a <rule>, the <target> element is logically part of the
<condition> element. Were indexing and efficiency not a concern,
the tests in the <target> could be incorporated into the
<condition>. The <target> element serves as the "first pass"
test for whether the rule applies:
if (<target> == true) {
if (<condition> == true) {
return <effect>;
}
}
return <not applicable>;
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC