[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [CR] Target Match Semantics Section 4 & 5
Greetings,
The semantics for the Target need to be updated. It doesn't seem to
describe how "Match" or "No-Match" are derived at. The document mentions
logical-AND and logical-OR, and they are not defined for Match and
No-Match. Also, we need to resolve the discovery and issue of the
inconsistency between the evaluation of Target and Condition with respect
to Indeterminate and NotApplicable, now that we are making progress on the
"functions" document.
I feel that if we refer to the Target evaluations with the same semantics
as Condition, we can leverage the use of True, False, and Indeterminate
that we have already defined, and then we can use the notions of
conjunctive sequence and disjunctive sequence as combinators of our
boolean values (true, false, indeterminate) with the normative
specifications of our functions "function:and" and "function:or" for the
combining rules. This will take care of the normative handling of error
conditions in the evaluation logic.
When the XACML Data Types, Functions, and Semantics gets put in the
document, I suggest making the following changes. Some changes are
editorial.
Note: There is some issue about <Target> and <Condition> of where they say
that they possible to be "empty", but I'm not sure if that means "omitted"
(i.e. minOccurs="0"), or <Target/>, or <Condition/>.
Cheers,
-Polar
4.3.1 Rule
I suggest changing the list to the order of
o a Target,
o a Condition, and
o an Effect
to keep consistent with the description of the model and the rule
evaluation semantics. (effect was before condition).
4.3.1.1 Rule Target
[Change the following:]
If the rule is intended to apply to all entities of a particular type,
then an empty element named <AnySubject/>, <AnyResource/> or <AnyAction/>
is used.
[should be:]
If the rule is intended to apply to all entities of a particular type,
then an empty element named <AnySubject/>, <AnyResource/> and <AnyAction/>
is used, or the <Target> element is completely omitted.
Add the following:
---
The evaluation of the <Target> evaluates each of the <Subjects>,
<Resources>, and <Actions> elements as specified. These results are
combined as if the "function:and" were applied to them. Therefore, the
result of the <target> evaluation is "true", "false", or "indeterminate".
The <AnySubject/>, <AnyResource/>, and <AnyAction/> are each
considered vacuously "true".
---
4.3.1.3 Condition
I think we need a different description:
Change
---
Condition is a general expression of predicates of attributes. It should
not duplicate the exact predicates implied by the target. Therefore, it
may be empty.
---
to
--
<Condition> is a boolean expression that refines the applicability of the
rule beyond the predicates implied by the target. In the case where
<Condition> is not present in the rule, it is considered vacuously "true".
A <Condition> should not duplicate the predicates implied by the <Target>,
with the exception that both the <Target> specifies any subject, resource,
and action, and the <Condition> is not present.
--
4.3.1.4 Rule evaluation
A rule has a value that can be calculated by evaluating its contents.
Rule evaluation involves separate evaluation of the rule's target and
condition. The result of rule's target and condition are evaluated as if
the "function:and" were applied to both results.
The rule truth table is shown in Table 1.
Target Condition Rule
True True Effect
True False Not Applicable
True Indeterminate Indeterminate
False True Not Applicable
False False Not Applicable
False Indeterminate Indeterminate
Indeterminate True Indeterminate
Indeterminate False Indeterminate
Indeterminate Indeterminate Indeterminate
Table 1 - Rule truth table
[The subsequent 2 paragraphs after the table are no longer true, and
should be removed.]
Section 5 (NORMATIVE)
[Since this section is normative, I suggest that we define "disjunctive"
sequence" and "conjunctive sequence" for use throughout the section. Add
the following:]
In this section the policy syntax and its evaluation semantics are
described. This section uses the following terminology:
A "disjunctive sequence" is a sequence of boolean elements that are
combined using the semantics of the "function:or" XACML standard function.
A "conjunctive sequence" is a sequence of boolean elements that are
combined using the semantics of the "function:and" XACML standard
function.
5.4 Target
[Change the paragraph to:]
For the purposes of matching, the <Subjects>, <Resources>, and <Actions>
children of the <Target> element are evaluated as specified below, and
the results are combined as a conjunctive sequence.
The <Subjects>, <Resources>, <Actions> elements are considered each a
disjunctive sequence of <Subject>, <Resource>, and <Action> elements
respectively.
Because the <Target> is effectively a conjunctive sequence of disjunctive
sequences, for the parent of the <Target> element to be applicable to the
decision request, at least one <Subject>, one <Resource>, and one <Action>
MUST match the corresponding elements in the <xacml-context:Request>
element.
The <Target> element is of TargetType complex type.
[and the rest is fine]
5.5 Subject
[ Change the first paragraph to: ]
The <Subjects> element is a child of the <Target> element and is a wrapper
for the disjunctive sequence of <Subject> elements. The <Subjects>
element is combined as a conjunctive sequence with the other children of
the <Target> element.
5.6 Element Subject
[Remove the Note about conjunctive sequence]
5.8 Element Resources
[Change the first paragraph to: ]
The <Resources> element is a child of the <Target> element and is a
wrapper for the disjunctive sequence of <Resource> elements. The
<Resources> element is combined as a conjunctive sequence with the other
children of the <Target> element.
5.11 Element Actions
[ Change first paragraph to: ]
The <Actions> element is a child of the <Target> element and is a wrapper
for the disjunctive sequence of the <Action> elements. The <Actions>
element is combined as a conjunctive sequence with the other children of
the <Target> element.
5.17 Element Rule
[Make the following change ^^^^^^^ function->expression]
<Condition> [optional]
A predicate that MUST be satisfied for the rule to be assigned its Effect
value. A condition is a boolean function over a combination of subject,
^^^^^^^^
expression
resource and environment attributes or other functions.
[[QUESTION: Shouldn't the rule evaluation table go here
in the normative part?]]
5.19.Element <Condition>
The <Condition> element is a boolean function over subject, resource,
^^^^^^^^
expression
action and environment attributes or functions of attributes. If the
<Condition> element evaluates to "True", then the enclosing <Rule> element
is assigned its Effect value.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC