[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] extending xacml semantics
First of all, what subject classes are you going to have? What do they really mean? And do they "mean" the same thing in all enterprises? How do you find it limiting not to have some "semantics" tied to the attribute? -Polar On Sun, 8 Sep 2002, Simon Godik wrote: > Currently there is no semantics associated with the 'subject' and 'resource' definition in the 'target' of a rule. > The only thing we do is match attribute designator with attribute value. > > Although there was a decision made not to have such semantics, I find it limiting. > > I propose to allow new elements in the rule target that convey semantics of an attribute. > > It is accomplished by wrapping subject-match with <subject-class> element, like this: > > <rule> > <target> > <subjects> > <subject> > <subject-class class-id="urn:oasis:names:tc:xacml:1.0:subject:class:group"> <-- this line is new > <subject-match match-id="function:string-equal"> > <subject-attribute-designator attribute-id="security-role" > category="urn:oasis:names:tc:xacml:subject:access-subject"/> > <attribute-value>admin</attribute-value> > </subject-match> > </subject-class> > </subject> > </subjects> > .... etc ... > </target> > </rule> > > This syntax allows us to reason about a subject of a rule. (Same applies to resource). > It states not only how to match subject attribute, but also what this attribute is, namely a group. > > I hope this proposal did not come too late, but if it did, we can consider it for xacml 1.x > > Simon > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC