OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] [CR] New Section 7.x: Request context

This is a revised submission of my original CR (dated 08 Oct
2002) based on comments from Polar.  This replaces the original
as a candidate for inclusion in XACML 1.0.

-Anne

CR: Add new section early in Chapter 7 to describe how the
Request context is to be handled.

Rationale: This will make the handling of missing attributes more
clear and help PDPs return consistent results.  This is related
to the issue of the "notional" Request.xml that I discussed in
http://lists.oasis-open.org/archives/xacml/200210/msg00035.html
"[xacml] Request Context and presence of Attributes" dated 7 Oct
2002.

Text:

7.x Request context

The XACML Request Context is an abstraction that allows a policy
to refer to attributes "as if" the attributes were in an XML
document that follows the XACML 1.0 Request Context schema.  This
applies to both AttributeDesignators and to AttributeSelectors.

Any attributes supplied by the PEP are available in the XACML
Request Context, as are the subject:subject-category,
environment:current-time, environment:current-date, and
environment:current-dateTime attributes.

Additional attributes may be referenced by a policy "as if" they
were in the Request Context XML document, although their
existence may not be determined until the time that they are
referenced during evaluation of the policy.

A result of "Indeterminate" MUST NOT be returned unless the
immediately enclosing function that references the "missing
attribute" is actually executed.  For example, if two
AttributeDesignators are supplied as arguments to "function:or",
and the first AttributeDesignator returns a value of "true", then
the result of the "function:or" is "true" even if the second
AttributeDesignator, if evaluated, would have returned a result
of "Indeterminate" due to "Missing attribute".

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC