[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Issues list and tentative resolutions of function model
There is one correction about Issue 0042.
A function:any-of-each allows a sequence for the second argument but the
current
schema allows a value (not a sequence) for the second argument. It
corresponds
to function:all-of or function:any-of. From the nature of MatchId,
function:all-of is
more appropriate. Then the original description and its correction are:
==== original ====
0042. [Michiharu] XACML supports consistent specification between MatchId
function and Apply function
http://lists.oasis-open.org/archives/xacml/200209/msg00098.html
In ver 0.8 function draft, string comparison (set against a value) is
differently specified in MatchId from Apply. Suppose attribute selector
returns a sequence (e.g. "aaa" and "bbb"). In ResourceMatch,
function:string-equal is used while in Apply, function:string-member-of
is used:
<ResourceMatch MatchId="function:string-equal">
<AttributeSelector RequestContextPath="/a/b/c/text()">
<AttributeValue>bbb</AttributeValue>
</ResourceMatch>
|<Apply FunctionId="function:string-member-of">
<AttributeValue>bbb</AttributeValue>
<AttributeSelector RequestContextPath="/a/b/c/text()">
</Apply>
We fix the above problem by using the higher-order bag function specified
in 0.9 function draft:
<ResourceMatch MatchId="function:string-equal">
<AttributeDesignator AttributeId="role1"/>
<AttributeValue>bbb</AttributeValue>
</ResourceMatch>
<Apply FunctionId="function:any-of-each">
<Function FunctionId="function:string-equal"/>
<AttributeDesignator AttributeId="role1"/>
<AttributeValue>bbb</AttributeValue>
</Apply>
When we specify policy for MatchId, function:any-of-each is implicitly used
for specifying the semantics of the comparison on bags.
==== corrected ====
0042. [Michiharu] XACML supports consistent specification between MatchId
function and Apply function
http://lists.oasis-open.org/archives/xacml/200209/msg00098.html
In ver 0.8 function draft, string comparison (set against a value) is
differently specified in MatchId from Apply. Suppose attribute selector
returns a sequence (e.g. "aaa" and "bbb"). In ResourceMatch,
function:string-equal is used while in Apply, function:string-member-of
is used:
<ResourceMatch MatchId="function:string-equal">
<AttributeValue>bbb</AttributeValue>
<AttributeSelector RequestContextPath="/a/b/c/text()">
</ResourceMatch>
|<Apply FunctionId="function:string-member-of">
<AttributeValue>bbb</AttributeValue>
<AttributeSelector RequestContextPath="/a/b/c/text()">
</Apply>
We fix the above problem by using the higher-order bag function specified
in 0.9 function draft:
<ResourceMatch MatchId="function:string-equal">
<AttributeValue>bbb</AttributeValue>
<AttributeDesignator AttributeId="role1"/>
</ResourceMatch>
<Apply FunctionId="function:all-of">
<Function FunctionId="function:string-equal"/>
<AttributeValue>bbb</AttributeValue>
<AttributeDesignator AttributeId="role1"/>
</Apply>
When we specify policy for MatchId, function:all-of is implicitly used
for specifying the semantics of the comparison on bags.
==========
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
----- Forwarded by Michiharu Kudoh/Japan/IBM on 2002/09/18 20:12 -----
Michiharu Kudoh
To: XACML TC <xacml@lists.oasis-open.org>
2002/09/17 19:55 cc:
From: Michiharu Kudoh/Japan/IBM@IBMJP
Subject: [xacml] Issues list and tentative resolutions of function model
The following are the issues list and tentative resolutions of the call on
16. This is not a schema change request but I followed the format used by
Anne. For the moment I put my name as an initiator of each issue. Please
let me know any editorial, technical and general comments.
0042. [Michiharu] XACML supports consistent specification between MatchId
function and Apply function
STATUS: APPROVED 9/16 (NQ)
0043. [Michiharu] XACML supports unordered set that is called a "bag"
STATUS: APPROVED 9/16 (NQ)
0044. [Michiharu] XACML distinguishes singleton data from bag type
STATUS: APPROVED 9/16 (NQ)
0045. [Michiharu] XACML supports higher-order bag functions
STATUS: APPROVED 9/16 (NQ)
0046. [Michiharu] XACML supports operators for computing on bag types.
STATUS: APPROVED 9/16 (NQ)
======================
0042. [Michiharu] XACML supports consistent specification between MatchId
function and Apply function
http://lists.oasis-open.org/archives/xacml/200209/msg00098.html
In ver 0.8 function draft, string comparison (set against a value) is
differently specified in MatchId from Apply. Suppose attribute selector
returns a sequence (e.g. "aaa" and "bbb"). In ResourceMatch,
function:string-equal is used while in Apply, function:string-member-of
is used:
<ResourceMatch MatchId="function:string-equal">
<AttributeSelector RequestContextPath="/a/b/c/text()">
<AttributeValue>bbb</AttributeValue>
</ResourceMatch>
|<Apply FunctionId="function:string-member-of">
<AttributeValue>bbb</AttributeValue>
<AttributeSelector RequestContextPath="/a/b/c/text()">
</Apply>
We fix the above problem by using the higher-order bag function specified
in 0.9 function draft:
<ResourceMatch MatchId="function:string-equal">
<AttributeDesignator AttributeId="role1"/>
<AttributeValue>bbb</AttributeValue>
</ResourceMatch>
<Apply FunctionId="function:any-of-each">
<Function FunctionId="function:string-equal"/>
<AttributeDesignator AttributeId="role1"/>
<AttributeValue>bbb</AttributeValue>
</Apply>
When we specify policy for MatchId, function:any-of-each is implicitly used
for specifying the semantics of the comparison on bags.
0043. [Michiharu] XACML supports unordered set that is called a "bag"
http://lists.oasis-open.org/archives/xacml/200209/msg00098.html
XACML supports an unordered set type and does not support a sequence
type because there is few requirement that needs sequence dependent
policy specification (e.g. sequence-equal function (or point-wise
comparison)
in XPath 2.0 draft is one of such requirement but TC members decided
that is a lower priority).
We rename it from "sequence (unordered set)" to "bag".
0044. [Michiharu] XACML distinguishes singleton data from bag type.
http://lists.oasis-open.org/archives/xacml/200209/msg00098.html
XACML has two kinds of functions: a function that defines semantics on
singleton data (e.g. function:string-equal), and a function that defines
the
semantics on bags (e.g. function:any-of-each). This means that XACML
distinguishes singleton data from bag type. We don't distinguish them by
local name or its prefix. The specification lists function names as text.
0045. [Michiharu] XACML supports higher-order bag functions
http://lists.oasis-open.org/archives/xacml/200209/msg00098.html
XACML supports higher-order bag functions as 0.9 draft describes.
0046. [Michiharu] XACML supports operators for computing on bag types.
http://lists.oasis-open.org/archives/xacml/200209/msg00098.html
Comparison among bag types (e.g. any-of-each) is defined by higher-order
bag functions as 0.9 draft describes.
Best
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC