[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Issue: SubjectsType and ResourcesType definitions
In draft-xacml-schema-core-14b.xsd, the Target elements Subjects
and Resources are defined as follows:
<xs:complexType name="SubjectsType">
<xs:sequence maxOccurs="unbounded">
<xs:element ref="xacml:Attribute"/>
</xs:sequence>
</xs:complexType>
<!-- -->
<xs:complexType name="ResourcesType">
<xs:sequence maxOccurs="unbounded">
<xs:element ref="xacml:Attribute"/>
</xs:sequence>
</xs:complexType>
Presumably, the idea was that the Target "applied" if an
attribute that matched the specified Attribute
elements existed in the request.
Problems:
1. This does not provide a way to match on SubjectId or KeyInfo.
2. Are the semantics a requirement that the match occur on ALL
attributes or on ANY attribute?
3. What does "match" mean? Is it implicitly our "xacml:equals",
where the AttributeValue must be one of the types
"xacml:equals" is defined as applying to?
I don't feel particularly strongly about exactly how we resolve
these, but I think they must be resolved.
Recommendations:
1. Change the element definition from "xacml:Attribute" to
a combination of a pointer into the Request and a value that
the element at that pointer must match. something like the
following:
<xs:complexType name="SubjectsType">
<xs:sequence maxOccurs="unbounded">
<xs:element name="RequiredAttributeMatch"
type="xacml:RequiredAttributeMatchType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RequiredAttributeMatchType">
<xs:sequence>
<xs:element name="RequiredMatchingValue"
type="anyURI"/>
</xs:sequence>
<xs:attribute name="RequestValue" type="xs:string" use="required"/>
<!-- where string is an XPATH location path into the
Request -->
</xs:complexType>
Example: to say a rule applies to an AccessSubject that has an
RFC822Name SubjectID of "*.Simpson@Simpsons.com" AND at
least one subject has an Attribute with name "role" and value
"SystemAdministrator":
<Target>
<Subjects>
<RequiredAttributeMatch RequestValue="/Request/Subject
[@SubjectCategory="urn:...AccessSubject"]
/SubjectId[@Format="urn:...:RFC822Name"]">
<RequiredMatchingValue>
"*.Simpson@Simpsons.COM"
</RequiredMatchingValue>
</RequiredAttributeMatch>
<RequiredAttributeMatch RequestValue="/Request/Subject
/Attribute/AttributeMetaData[@AttributeName="role"]
/AttributeValue">
<RequiredMatchingValue>
"SystemAdministrator"
</RequiredMatchingValue>
</Subjects>
....
</Target>
2. Specify that ALL attributes within Subjects must match and ALL
attributes within Resources must match. I suggest this by the
name "RequiredAttributeMatch".
3. Specify that the matching operation is "xacml:equals", and
that the types of the value pointed to by the
AttributeSelector and the specified AttributeValue itself must
match and must be among the types supported by the definition
of "xacml:equals".
We could omit the RequiredMatchingValue and simply use XPATH
to specify the required element and its value. But then we
would be limited to exact string matches on request element
values, and we also could not use regular expression matching
on strings (which I assume xacml:equals will support).
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC