[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Hi, questions about XACML, please help
Hi, Shun
Section 9 describes a set of profiles relevant to XACML.
Section 9.4 LDAP describes about a potential usage of
DIT when LDAP is used as a XACML policy retrieval point.
XACML Context schema can carry any application-specific
data such as arbitrary attribute type-value pairs and a target
XML instance as Section 3.2 shows. XACML request context
is an assertion neutral input format. XACML response context
is a generic access decision format. SAML authorization
request is one of the input format that can be transformed into
XACML request context. SAML authorization decision
assertion is one of the output format that can be transformed
from the XACML response context. Both transformation can
be specified using XSLT transformation. Anyway, the input to
the XACML policy is XACML request context.
Draft 14 has several inconsistencies with respect to the
XACML Context and related examples. Draft 15 will become
more consistent draft.
XACML request context can include a target XML instance as a
immediate data or a reference to the target resource using URI.
Best regards,
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Shun Xiang Yang
<yangsx@cn.ibm.co To: xacml-comment@lists.oasis-open.org
m> cc: xacml@lists.oasis-open.org
Subject: [xacml] Hi, questions about XACML, please help
2002/06/21 10:57
Please respond to
Shun Xiang Yang
Hi,
I'm new to XACML. I have some questions, would you please throw me some
light on them?
1. What does 'Profile' mean in XACML document? (Section 9 in XACML Working
Draft 14) Does the 9.4 LDAP Directory information tree (DIT) have some
relationship to the XACML Context?
2. About XACML Context
2.1 Supposely XACML Context should be an abstraction of the
different application environments. But the Context schema only contains
definitions for request and response. Where should the application data
model be specified? In the request? I think something like <record...> in
3.2 of XACML Working Draft 14 is necessary for request and policy.
2.2 What's the relationship between request/response defined in
XACML Context and request/response defined in SAML?
- 3.3 of XACML Working Draft 14 use a SAML request, not a
XACML request, why?
- SAML request uses <NameIdentifer> for subject, URI for
resource, while XACML request use <SubjectAttribute> for subject,
<ResourceAttribute> for resource. What's the difference?
2.3 It seems that the XACML policies use some XPath expressions on
the XACML Context (requests?) to reference the attributes (of
subject/resource/actoin/etc), while XACML Context (requests?) uses XPath
expressions on a specific application environment (for example, the xml
instance in 3.2 of XACML Working Draft 14) to specify the
subject/resource/action/... Is this right?
Thanks a lot!!
Best Regards,
Yang Shunxiang, Ñî˳Ïé
IBM China Research Lab
4F, HaoHai, #7, 5th Street, Shangdi, BEIJING, 100085, CHINA
TEL: 86-10-62986677 ext. 545
FAX: 86-10-82899634
E-mail: yangsx@cn.ibm.com
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC