[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] [Issue] How many resourceIds in request context?
Tim, Some people, including Hal and, I think, Seth, believe that there absolutely must be one and only one resource-id attribute. The reasoning is that any Request must at least specify the resource-id in order to know what is being accessed. I disagree with this view. I believe a resource could be described via attributes other than its resource-id. For example, a Request could ask for access to a resource that has a security label of "Top Secret". The policy may not care what the resource-id is, but is willing to grant or deny access based on whether the Subject has a corresponding security clearance attribute. If we ever support partial evaluation, then cases arise in which there may be no resource attributes in the Request at all, because any resource attributes have already been factored out of the policy to be evaluated. This applies also to subject and action attributes. Anne Anderson On 5 January, Tim Moses writes: [xacml] [Issue] How many resourceIds in request context? > From: Tim Moses <tim.moses@entrust.com> > To: 'XACML' <xacml@lists.oasis-open.org> > Subject: [xacml] [Issue] How many resourceIds in request context? > Date: Mon, 05 Jan 2004 11:12:20 -0500 > > Colleagues - In section 6.3 of v1.1 we define the syntax for > <xacml-context:Resource> thusly: > > <xs:element name="Resource" type="xacml-context:ResourceType"/> > <xs:complexType name="ResourceType"> > <xs:sequence> > <xs:element ref="xacml-context:ResourceContent" > minOccurs="0"/> > <xs:element ref="xacml-context:Attribute" > minOccurs="0" maxOccurs="unbounded"/> > </xs:sequence> > </xs:complexType> > > Consider the 5th line (... ref="xacml-context:Attribute" ...). > > Below, we say: > > "The <Resource> element MUST contain one and only one <Attribute> with an > AttributeId of "urn:oasis:names:tc:xacml:1.0:resource:resource-id"." > > The "minOccurs="0"" in line 5 and the "one and only one" below it appear to > conflict. > > I expect we mean "no more than one". Can I go ahead and change this? All > the best. Tim. > > ----------------------------------------------------------------- > Tim Moses > 613.270.3183 > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php. > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]