Status issue for #42...multiple elements in a hierarchical resource

[Anne Anderson <Anne.Anderson@Sun.com>]

There was an issue with the status returned when no Result would
be returned from a request for multiple elements in a
hierarchical resource.

I believe the issue arose when the node identified in the
resource-id was not part of the hierarchy passed in the
<ResourceContent> element, yet a resource:scope of Children or
Descendants was requested.

It was suggested that XACML needed some overall "Response" Status
to deal with this, in addition to the Status values associated
with each Result (each of which references a particular node in
the hierarchy).

Rebekah asked me if this was actually an issue, and I think I
agree there is not: there will always be at least one Result,
since the node listed in the resource-id Attribute itself is
always one of the elements to which access is requested.  The
XACML 1.1 Specification specifically says this on lines 2971 and
2975: the decision request SHALL be interpreted to apply to the
specified resource and {its immediate children resources | all
its descendant resources}.

If the node in the resource-id is not present in the
<ResourceContent>, then if the policy does not specifically
reference that exact node, there will be a Result for that one
node only with a Status of Not Applicable (or Indeterminate).  If
the policy does specifically reference that exact node, there
will be a Result for that one node only with a Status of
whatever.

Am I missing something?

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692