[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] is-present-designators (fwd)
On Tue, 5 Nov 2002, Daniel Engovatov wrote: > I agree. They are not critical and the functionality can be temporarily > added as an extension function if some policy really needs it. Not quite. The only extension function, by using the XACML way of defining a new FunctionId, can only do what Simon said, take a bag of elements from an *AttributeDesignator, of which they have already been retrieved, and then just count the elements in the bag. However, I would like to make statements like: If attribute XXX is present and it does NOT match George then Deny. A simple use of a subject-match, e.g. (not (subject-match "string-equals" <subj-attr-desg "XXX"> "George")) doesn't cut it. I definately need (subject-attr-is-present "XXX") and (not (subject-match ....))) To get the right semantic. -Polar > -----Original Message----- > From: simon godik [mailto:simon@godik.com] > Sent: Tuesday, November 05, 2002 2:49 PM > To: XACML > Subject: Re: [xacml] is-present-designators (fwd) > > > There is potential optimization with is-present elements, > provided that attribute data storage supports is-present query. > I propose to defer this optimization to xacml 1.1. > > Simon > > ----- Original Message ----- > From: "Polar Humenn" <polar@syr.edu> > To: "XACML" <xacml@lists.oasis-open.org> > Sent: Tuesday, November 05, 2002 2:46 PM > Subject: Re: [xacml] is-present-designators (fwd) > > > > > > On Tue, 5 Nov 2002, Polar Humenn wrote: > > > > > There is a way to test if attribute is present without using > is-present-designator elements: > > > It is to compare bag size selected by the designator to 0: > > > > > > <apply function-id="integer-greater-than"> > > > <apply function-id="type-bag-size"> > > > <attribute-designator ..../> > > > </apply> > > > <attr-val ...>0</attr-val> > > > </apply> > > > > Well, I do agree that is a way, but still it may not be all that > > efficient. > > > > Let's say you have an attribute named "face-print" that contains 2MB of > > image data. You might have 10 of them. If you just want to know if its > > present, using the IsPresent element just may require the request context > > builder to just see if its there. The comparing the bag size would require > > the AttributeDesignator, which would actually retrieve them for nothing. > > > > -Polar > > > > > > > > > > > > > > > > My proposal is to drop is-present-attribute-designators > > > > > > Simon > > > > > > > > > > > > ---------------------------------------------------------------- > > To subscribe or unsubscribe from this elist use the subscription > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC