[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Ruleelement
Yes.
Michiharu
bill parducci
<bill.parducci@ov To: XACML TC <xacml@lists.oasis-open.org>
erxeer.com> cc:
Subject: Re: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Rule element
2003/05/02 23:15
with this proposal i assume that the 'combining' mechanism will not
change from the current spec: it will be an implicit AND for all
returned obligations (the PEP will have to sort it out). is this correct?
b
Michiharu Kudoh wrote:
> Proposed XACML 1.1 Solution for Obligations in Rule element
>
> Problem Description
> ===================
>
> XACML 1.0 allows a PolicySet and Policy to include Obligations
> element but does not allow a Rule to include it.
> Allowing Obligations element to Rules could make Policies shorter,
> particularly when each Rule has the identical target description
> but different condition expression. In more detail, please refer to
> http://lists.oasis-open.org/archives/xacml/200303/msg00006.html
>
> Proposal
> ========
>
> Allow XACML <Rule> elements to contains <Obligations> element.
> There is no need to define new schema or new schema type.
>
> <xs:element name="Rule" type="xacml:RuleType"/>
> <xs:complexType name="RuleType">
> <xs:sequence>
> <xs:element ref="xacml:Description" minOccurs="0"/>
> <xs:element ref="xacml:Target" minOccurs="0"/>
> <xs:element ref="xacml:Condition" minOccurs="0"/>
> <xs:element ref="xacml:Obligations" minOccurs="0"/>
> </xs:sequence>
> <xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
> <xs:attribute name="Effect" type="xacml:EffectType" use
="required"/>
> </xs:complexType>
>
>
> Discussion
> ==========
>
> XACML TC decided not to have obligations in rule element to avoid
> any extra complexity in the specification. Actually, allowing
> Obligations element in Rule does NOT generate more complexity.
> Moreover, there is no need to change the semantics. So, allowing
> obligations in rule element still keeps the spec the same complexity.
>
> The description of Section 7.11 only needs minimum
> modification such that text changes from "PolicySet and Policy may
> contain one or more obligations" to "PolicySet, Policy and Rule may
> contain one or more obligations".
>
> The description of combining algorithm needs a minimum addition
> like just inserting one line text "Obligations of the individual
> rules shall be combined as described in Section 7.11." before
> line 4637.
>
> Since the Obligations element is optional, this extension
> affects only implementations that supports obligations specified
> in the current XACML specification.
>
> There had been some discussion about insufficient description
> of the *-combining algorithm, but this extension is orthogonal
> to that argument.
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]