[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] Proposed XACML 1.1 Solution for Item F1:Properties for newcombining algorithms
The original draft proposal is http://lists.oasis-open.org/archives/xacml/200304/msg00040.html =================== Proposed XACML 1.1 Solution for Item F1:"Properties for new combining algorithms" Problem Description =================== The current XACML language model allows policy writers to specify custom rule/policy combining algorithms as one of the extension point (line 419 "Users of this specification may, if necessary, define their own combining algorithms"). In some cases, those custom algorithms need additional parameter(s) associated with each rule or policy. For example, priority-based combining algorithm needs a priority number attached to each rule, and hierarchy-based combining algorithm needs a hierarchy level attached to each rule. The current XACML schema has no space to specify such custom parameters in rule/policy specifications. This proposal extends the current schema to hold an optional <Property> element below <PolicySet>, <Policy>, <Rule> elements just like another <Description> element which is used for specifying textual information for human-users. The <Property> element is intended for use by the machine (combining algorithm). Proposal ======== 1. Define new element <Property> in policy schema. 2. Change definition of <PolicySet>, <Policy>, and <Rule> elements to optionally include <Property> element. 3. Import xacml:context schema to reuse <Attribute> definition in the xacml:policy schema. 4. Change to specification Proposed Solution ================= 1. Define new element <Property> in policy schema. <xs:element name="Property" type="xacml:PropertyType"/> <xs:complexType name="PropertyType"> <xs:sequence> <xs:element ref="xacml-context:Attribute" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> - Property can include one or more attribute type-value pairs. 2. Change definition of <PolicySet>, <Policy>, and <Rule> elements to optionally include <Property> element. <xs:complexType name="PolicySetType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Property" minOccurs="0"/> <xs:element ref="xacml:PolicySetDefaults" minOccurs="0"/> <xs:element ref="xacml:Target"/> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element ref="xacml:PolicySet"/> <xs:element ref="xacml:Policy"/> <xs:element ref="xacml:PolicySetIdReference"/> <xs:element ref="xacml:PolicyIdReference"/> </xs:choice> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="PolicySetId" type="xs:anyURI" use="required"/> <xs:attribute name="PolicyCombiningAlgId" type="xs:anyURI" use ="required"/> </xs:complexType> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Property" minOccurs="0"/> <xs:element ref="xacml:PolicyDefaults" minOccurs="0"/> <xs:element ref="xacml:Target"/> <xs:element ref="xacml:Rule" minOccurs="0" maxOccurs ="unbounded"/> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="PolicyId" type="xs:anyURI" use="required"/> <xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use ="required"/> </xs:complexType> <xs:complexType name="RuleType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Property" minOccurs="0"/> <xs:element ref="xacml:Target" minOccurs="0"/> <xs:element ref="xacml:Condition" minOccurs="0"/> </xs:sequence> <xs:attribute name="RuleId" type="xs:anyURI" use="required"/> <xs:attribute name="Effect" type="xacml:EffectType" use="required"/> </xs:complexType> - Note that <Property> is inserted below every <Description> element. 3. Import xacml:context schema to reuse <Attribute> decifinition the xacml:policy schema <xs:import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation ="cs-xacml-schema-context-01.xsd"/> 4. Change to specification Line 419: Users of this specification may, if necessary, define their own combining algorithms. If their algorithms needs custom parameters on each policy set, policy, and rule, the users can use optional <Property> element to specify those parameters. If that is the case, Line 1769: Add a new line <xs:element ref="xacml-context:Property" minOccurs="0"/> Line 1797: Add new lines <Property> [Optional] One or more attribute type-value pairs used by the custom policy set combining algorithm. Line 2075: Add a new line <xs:element ref="xacml-context:Property" minOccurs="0"/> Line 2096: Add new lines <Property> [Optional] One or more attribute type-value pairs used by the custom policy combining algorithm. Line 2136: Add a new line <xs:element ref="xacml-context:Property" minOccurs="0"/> Line 2150: Add new lines <Property> [Optional] One or more attribute type-value pairs used by the custom rule combining algorithm. Line 4590, 4647, 4694, 4752, 4802, 4840, and 4879: Add the following sentence If one or more attribute type-value pairs are specified in the <Property> element, they SHALL be ignored. Discussion ========== - A sample policy specification is: <Policy RuleCombiningAlgId="myCombiningAlgo"> <Rule> <Property> <Attribute AttributeId="MyRuleTypeAttribute" DataType="...String"> <AttributeValue>strong</AttributeValue> </Attribute> </Property> <Target>... <Condition>... </Rule> <Rule> <Property> <Attribute AttributeId="MyRuleTypeAttribute" DataType="...String"> <AttributeValue>weak</AttributeValue> </Attribute> </Property> <Target>... <Condition>... </Rule> </Policy> In this example, a custom combining algorithm called "myCombiningAlgo" uses a rule type attribute "strong" or "weak" attached to each rule when it evaluates the policy. - For backward compatibility purpose, <Property> SHALL be ignored when it is specified with the standard combining algorithm. Michiharu Kudo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]