OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Rule element

Proposed XACML 1.1 Solution for Obligations in Rule element

Problem Description
===================

XACML 1.0 allows a PolicySet and Policy to include Obligations
element but does not allow a Rule to include it.
Allowing Obligations element to Rules could make Policies shorter,
particularly when each Rule has the identical target description
but different condition expression. In more detail, please refer to
http://lists.oasis-open.org/archives/xacml/200303/msg00006.html

Proposal
========

Allow XACML <Rule> elements to contains <Obligations> element.
There is no need to define new schema or new schema type.

<xs:element name="Rule" type="xacml:RuleType"/>
<xs:complexType name="RuleType">
      <xs:sequence>
            <xs:element ref="xacml:Description" minOccurs="0"/>
            <xs:element ref="xacml:Target" minOccurs="0"/>
            <xs:element ref="xacml:Condition" minOccurs="0"/>
            <xs:element ref="xacml:Obligations" minOccurs="0"/>
      </xs:sequence>
      <xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
      <xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
</xs:complexType>


Discussion
==========

XACML TC decided not to have obligations in rule element to avoid
any extra complexity in the specification. Actually, allowing
Obligations element in Rule does NOT generate more complexity.
Moreover, there is no need to change the semantics. So, allowing
obligations in rule element still keeps the spec the same complexity.

The description of Section 7.11 only needs minimum
modification such that text changes from "PolicySet and Policy may
contain one or more obligations" to "PolicySet, Policy and Rule may
contain one or more obligations".

The description of combining algorithm needs a minimum addition
like just inserting one line text "Obligations of the individual
rules shall be combined as described in Section 7.11." before
line 4637.

Since the Obligations element is optional, this extension
affects only implementations that supports obligations specified
in the current XACML specification.

There had been some discussion about insufficient description
of the *-combining algorithm, but this extension is orthogonal
to that argument.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]