[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [CR] Target Match Semantics Section 4 & 5
Greetings, The semantics for the Target need to be updated. It doesn't seem to describe how "Match" or "No-Match" are derived at. The document mentions logical-AND and logical-OR, and they are not defined for Match and No-Match. Also, we need to resolve the discovery and issue of the inconsistency between the evaluation of Target and Condition with respect to Indeterminate and NotApplicable, now that we are making progress on the "functions" document. I feel that if we refer to the Target evaluations with the same semantics as Condition, we can leverage the use of True, False, and Indeterminate that we have already defined, and then we can use the notions of conjunctive sequence and disjunctive sequence as combinators of our boolean values (true, false, indeterminate) with the normative specifications of our functions "function:and" and "function:or" for the combining rules. This will take care of the normative handling of error conditions in the evaluation logic. When the XACML Data Types, Functions, and Semantics gets put in the document, I suggest making the following changes. Some changes are editorial. Note: There is some issue about <Target> and <Condition> of where they say that they possible to be "empty", but I'm not sure if that means "omitted" (i.e. minOccurs="0"), or <Target/>, or <Condition/>. Cheers, -Polar 4.3.1 Rule I suggest changing the list to the order of o a Target, o a Condition, and o an Effect to keep consistent with the description of the model and the rule evaluation semantics. (effect was before condition). 4.3.1.1 Rule Target [Change the following:] If the rule is intended to apply to all entities of a particular type, then an empty element named <AnySubject/>, <AnyResource/> or <AnyAction/> is used. [should be:] If the rule is intended to apply to all entities of a particular type, then an empty element named <AnySubject/>, <AnyResource/> and <AnyAction/> is used, or the <Target> element is completely omitted. Add the following: --- The evaluation of the <Target> evaluates each of the <Subjects>, <Resources>, and <Actions> elements as specified. These results are combined as if the "function:and" were applied to them. Therefore, the result of the <target> evaluation is "true", "false", or "indeterminate". The <AnySubject/>, <AnyResource/>, and <AnyAction/> are each considered vacuously "true". --- 4.3.1.3 Condition I think we need a different description: Change --- Condition is a general expression of predicates of attributes. It should not duplicate the exact predicates implied by the target. Therefore, it may be empty. --- to -- <Condition> is a boolean expression that refines the applicability of the rule beyond the predicates implied by the target. In the case where <Condition> is not present in the rule, it is considered vacuously "true". A <Condition> should not duplicate the predicates implied by the <Target>, with the exception that both the <Target> specifies any subject, resource, and action, and the <Condition> is not present. -- 4.3.1.4 Rule evaluation A rule has a value that can be calculated by evaluating its contents. Rule evaluation involves separate evaluation of the rule's target and condition. The result of rule's target and condition are evaluated as if the "function:and" were applied to both results. The rule truth table is shown in Table 1. Target Condition Rule True True Effect True False Not Applicable True Indeterminate Indeterminate False True Not Applicable False False Not Applicable False Indeterminate Indeterminate Indeterminate True Indeterminate Indeterminate False Indeterminate Indeterminate Indeterminate Indeterminate Table 1 - Rule truth table [The subsequent 2 paragraphs after the table are no longer true, and should be removed.] Section 5 (NORMATIVE) [Since this section is normative, I suggest that we define "disjunctive" sequence" and "conjunctive sequence" for use throughout the section. Add the following:] In this section the policy syntax and its evaluation semantics are described. This section uses the following terminology: A "disjunctive sequence" is a sequence of boolean elements that are combined using the semantics of the "function:or" XACML standard function. A "conjunctive sequence" is a sequence of boolean elements that are combined using the semantics of the "function:and" XACML standard function. 5.4 Target [Change the paragraph to:] For the purposes of matching, the <Subjects>, <Resources>, and <Actions> children of the <Target> element are evaluated as specified below, and the results are combined as a conjunctive sequence. The <Subjects>, <Resources>, <Actions> elements are considered each a disjunctive sequence of <Subject>, <Resource>, and <Action> elements respectively. Because the <Target> is effectively a conjunctive sequence of disjunctive sequences, for the parent of the <Target> element to be applicable to the decision request, at least one <Subject>, one <Resource>, and one <Action> MUST match the corresponding elements in the <xacml-context:Request> element. The <Target> element is of TargetType complex type. [and the rest is fine] 5.5 Subject [ Change the first paragraph to: ] The <Subjects> element is a child of the <Target> element and is a wrapper for the disjunctive sequence of <Subject> elements. The <Subjects> element is combined as a conjunctive sequence with the other children of the <Target> element. 5.6 Element Subject [Remove the Note about conjunctive sequence] 5.8 Element Resources [Change the first paragraph to: ] The <Resources> element is a child of the <Target> element and is a wrapper for the disjunctive sequence of <Resource> elements. The <Resources> element is combined as a conjunctive sequence with the other children of the <Target> element. 5.11 Element Actions [ Change first paragraph to: ] The <Actions> element is a child of the <Target> element and is a wrapper for the disjunctive sequence of the <Action> elements. The <Actions> element is combined as a conjunctive sequence with the other children of the <Target> element. 5.17 Element Rule [Make the following change ^^^^^^^ function->expression] <Condition> [optional] A predicate that MUST be satisfied for the rule to be assigned its Effect value. A condition is a boolean function over a combination of subject, ^^^^^^^^ expression resource and environment attributes or other functions. [[QUESTION: Shouldn't the rule evaluation table go here in the normative part?]] 5.19.Element <Condition> The <Condition> element is a boolean function over subject, resource, ^^^^^^^^ expression action and environment attributes or functions of attributes. If the <Condition> element evaluates to "True", then the enclosing <Rule> element is assigned its Effect value.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC