[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Status issue for #42...multiple elements in a hierarchical resource
There was an issue with the status returned when no Result would be returned from a request for multiple elements in a hierarchical resource. I believe the issue arose when the node identified in the resource-id was not part of the hierarchy passed in the <ResourceContent> element, yet a resource:scope of Children or Descendants was requested. It was suggested that XACML needed some overall "Response" Status to deal with this, in addition to the Status values associated with each Result (each of which references a particular node in the hierarchy). Rebekah asked me if this was actually an issue, and I think I agree there is not: there will always be at least one Result, since the node listed in the resource-id Attribute itself is always one of the elements to which access is requested. The XACML 1.1 Specification specifically says this on lines 2971 and 2975: the decision request SHALL be interpreted to apply to the specified resource and {its immediate children resources | all its descendant resources}. If the node in the resource-id is not present in the <ResourceContent>, then if the policy does not specifically reference that exact node, there will be a Result for that one node only with a Status of Not Applicable (or Indeterminate). If the policy does specifically reference that exact node, there will be a Result for that one node only with a Status of whatever. Am I missing something? Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]