[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Ruleelement
Yes. Michiharu bill parducci <bill.parducci@ov To: XACML TC <xacml@lists.oasis-open.org> erxeer.com> cc: Subject: Re: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Rule element 2003/05/02 23:15 with this proposal i assume that the 'combining' mechanism will not change from the current spec: it will be an implicit AND for all returned obligations (the PEP will have to sort it out). is this correct? b Michiharu Kudoh wrote: > Proposed XACML 1.1 Solution for Obligations in Rule element > > Problem Description > =================== > > XACML 1.0 allows a PolicySet and Policy to include Obligations > element but does not allow a Rule to include it. > Allowing Obligations element to Rules could make Policies shorter, > particularly when each Rule has the identical target description > but different condition expression. In more detail, please refer to > http://lists.oasis-open.org/archives/xacml/200303/msg00006.html > > Proposal > ======== > > Allow XACML <Rule> elements to contains <Obligations> element. > There is no need to define new schema or new schema type. > > <xs:element name="Rule" type="xacml:RuleType"/> > <xs:complexType name="RuleType"> > <xs:sequence> > <xs:element ref="xacml:Description" minOccurs="0"/> > <xs:element ref="xacml:Target" minOccurs="0"/> > <xs:element ref="xacml:Condition" minOccurs="0"/> > <xs:element ref="xacml:Obligations" minOccurs="0"/> > </xs:sequence> > <xs:attribute name="RuleId" type="xs:anyURI" use="required"/> > <xs:attribute name="Effect" type="xacml:EffectType" use ="required"/> > </xs:complexType> > > > Discussion > ========== > > XACML TC decided not to have obligations in rule element to avoid > any extra complexity in the specification. Actually, allowing > Obligations element in Rule does NOT generate more complexity. > Moreover, there is no need to change the semantics. So, allowing > obligations in rule element still keeps the spec the same complexity. > > The description of Section 7.11 only needs minimum > modification such that text changes from "PolicySet and Policy may > contain one or more obligations" to "PolicySet, Policy and Rule may > contain one or more obligations". > > The description of combining algorithm needs a minimum addition > like just inserting one line text "Obligations of the individual > rules shall be combined as described in Section 7.11." before > line 4637. > > Since the Obligations element is optional, this extension > affects only implementations that supports obligations specified > in the current XACML specification. > > There had been some discussion about insufficient description > of the *-combining algorithm, but this extension is orthogonal > to that argument. > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]