OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] [Issue] How many resourceIds in request context?

Tim,

Some people, including Hal and, I think, Seth, believe that there
absolutely must be one and only one resource-id attribute.  The
reasoning is that any Request must at least specify the
resource-id in order to know what is being accessed.

I disagree with this view.  I believe a resource could be
described via attributes other than its resource-id.  For
example, a Request could ask for access to a resource that has a
security label of "Top Secret".  The policy may not care what the
resource-id is, but is willing to grant or deny access based on
whether the Subject has a corresponding security clearance
attribute.

If we ever support partial evaluation, then cases arise in which
there may be no resource attributes in the Request at all,
because any resource attributes have already been factored out of
the policy to be evaluated.  This applies also to subject and
action attributes.

Anne Anderson

On 5 January, Tim Moses writes: [xacml] [Issue] How many resourceIds in request context?
 > From: Tim Moses <tim.moses@entrust.com>
 > To: 'XACML' <xacml@lists.oasis-open.org>
 > Subject: [xacml] [Issue] How many resourceIds in request context?
 > Date: Mon, 05 Jan 2004 11:12:20 -0500
 > 
 > Colleagues - In section 6.3 of v1.1 we define the syntax for
 > <xacml-context:Resource> thusly:  
 > 
 > 	<xs:element name="Resource" type="xacml-context:ResourceType"/>
 > 	<xs:complexType name="ResourceType">
 > 		<xs:sequence>
 > 			<xs:element ref="xacml-context:ResourceContent"
 > minOccurs="0"/>
 > 			<xs:element ref="xacml-context:Attribute"
 > minOccurs="0" maxOccurs="unbounded"/>
 > 		</xs:sequence>
 > 	</xs:complexType>
 > 
 > Consider the 5th line (... ref="xacml-context:Attribute" ...).
 > 
 > Below, we say:
 > 
 > "The <Resource> element MUST contain one and only one <Attribute> with an
 > AttributeId of "urn:oasis:names:tc:xacml:1.0:resource:resource-id"."
 > 
 > The "minOccurs="0"" in line 5 and the "one and only one" below it appear to
 > conflict.
 > 
 > I expect we mean "no more than one".  Can I go ahead and change this?  All
 > the best.  Tim.
 > 
 > -----------------------------------------------------------------
 > Tim Moses
 > 613.270.3183
 > 
 > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]