OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Proposed text for new section in Appendix A on Structureddatatypes

Please comment on the following before Monday's editing session
so that a final version may be presented at that time. -Anne

Proposed text for new section in Appendix A, to follow A.2
Primitive types.

A.3 Structured types

An XACML <AttributeValue> MAY contain an instance of a structured
xml data type, for example <ds:KeyInfo>.  XACML 1.0 supports
three ways of comparing such <AttributeValue>s.

1) In some cases, such an <AttributeValue> may be compared
   using one of the XACML string functions, such as
   regexp-string-match, described below.  This requires the
   structured data, including its tags and attributes, to be
   treated as an <xs:string>.  In general, this method will not
   be adequate unless the structured data type is quite simple.

2) An <AttributeSelector> element may be used to select the value
   of a leaf sub-element of the structured data type.  That value
   may then be compared using one of the supported XACML
   functions appropriate for its primitive data type.

3) An <AttributeSelector> element may be used to select the value
   of any node in the structured type.  This node may then be
   compared using one of the XPath-based functions described
   below.

Methods 2) and 3) require support for optional XACML features
(XPath expressions and XPath functions) by the PDP.

A fourth alternative is for a community of XACML users to define
separate attribute identifiers for each leaf sub-element of a
given structured data type.  Using these identifiers, the Context
Handlers used by that community of users can flatten instances of
the structured data type into a sequence of <Attribute>s.  Each
such <Attribute> will have an <AttributeValue> that is and
instance of one of the XACML-supported primitive Datatypes, and
thus can be compared using the XACML-supported functions.

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC