[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Hi, questions about XACML, please help
Hi, Shun Section 9 describes a set of profiles relevant to XACML. Section 9.4 LDAP describes about a potential usage of DIT when LDAP is used as a XACML policy retrieval point. XACML Context schema can carry any application-specific data such as arbitrary attribute type-value pairs and a target XML instance as Section 3.2 shows. XACML request context is an assertion neutral input format. XACML response context is a generic access decision format. SAML authorization request is one of the input format that can be transformed into XACML request context. SAML authorization decision assertion is one of the output format that can be transformed from the XACML response context. Both transformation can be specified using XSLT transformation. Anyway, the input to the XACML policy is XACML request context. Draft 14 has several inconsistencies with respect to the XACML Context and related examples. Draft 15 will become more consistent draft. XACML request context can include a target XML instance as a immediate data or a reference to the target resource using URI. Best regards, Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 Shun Xiang Yang <yangsx@cn.ibm.co To: xacml-comment@lists.oasis-open.org m> cc: xacml@lists.oasis-open.org Subject: [xacml] Hi, questions about XACML, please help 2002/06/21 10:57 Please respond to Shun Xiang Yang Hi, I'm new to XACML. I have some questions, would you please throw me some light on them? 1. What does 'Profile' mean in XACML document? (Section 9 in XACML Working Draft 14) Does the 9.4 LDAP Directory information tree (DIT) have some relationship to the XACML Context? 2. About XACML Context 2.1 Supposely XACML Context should be an abstraction of the different application environments. But the Context schema only contains definitions for request and response. Where should the application data model be specified? In the request? I think something like <record...> in 3.2 of XACML Working Draft 14 is necessary for request and policy. 2.2 What's the relationship between request/response defined in XACML Context and request/response defined in SAML? - 3.3 of XACML Working Draft 14 use a SAML request, not a XACML request, why? - SAML request uses <NameIdentifer> for subject, URI for resource, while XACML request use <SubjectAttribute> for subject, <ResourceAttribute> for resource. What's the difference? 2.3 It seems that the XACML policies use some XPath expressions on the XACML Context (requests?) to reference the attributes (of subject/resource/actoin/etc), while XACML Context (requests?) uses XPath expressions on a specific application environment (for example, the xml instance in 3.2 of XACML Working Draft 14) to specify the subject/resource/action/... Is this right? Thanks a lot!! Best Regards, Yang Shunxiang, Ñî˳Ïé IBM China Research Lab 4F, HaoHai, #7, 5th Street, Shangdi, BEIJING, 100085, CHINA TEL: 86-10-62986677 ext. 545 FAX: 86-10-82899634 E-mail: yangsx@cn.ibm.com ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC