Re: [xacml] Any Subject, Any Resource, Any Action,Any Environment (fwd from Polar)

[Anne Anderson <Anne.Anderson@Sun.COM>]

[The message I just sent was a forward from Polar, in case that
was not clear.  -Anne]

Here is my view:

The <Target> serves as an applicability pre-condition on the
<Rule>.  If there is no <Target>, then there is no pre-condition,
and the <Rule> simply applies (given any inherited pre-conditions
from the parent Policy).

Likewise with <Subjects>, <Resources>, ... inside a <Target>:
each is a pre-condition on <Subjects>, etc. to which this <Rule>
is applicable.  If there is no pre-condition, then the <Rule> is
applicable to any <Subject>, etc.

To me, the <Target> represents applicability narrowing
conditions.  It seems like you are suggesting that the absence of
narrowing conditions means maximum narrowing
(i.e. non-applicability), but this does not seem intuitive to me.
If there are no narrowing conditions, then the applicability is
completely open.  I think this interpretation is intuitive, and
can be easily reinforced by the text.

Anne

On 23 January, Anne Anderson writes: [xacml] Any Subject, Any Resource, Any Action, Any Environment (fwd from Polar)
 > From: Anne Anderson <Anne.Anderson@Sun.COM>
 > To: XACML TC <xacml@lists.oasis-open.org>
 > Subject: [xacml] Any Subject, Any Resource, Any Action,
 >  Any Environment (fwd from Polar)
 > Date: Fri, 23 Jan 2004 12:41:09 -0500
 > 
 > I think I may have misunderstood the approach before, or just didn't read
 > it carefully enough.  So, if I am reading the right document, the change
 > on the target is that, NOW, the sub-elements of <Target> are OPTIONAL.
 > Whereas, previously they had been REQUIRED.  Correct? (This diffs I see do
 > not seem reflect this change).
 > 
 > <Target> has always been a conjunctive sequence of its subordinate
 > elements.  Now, due to the optionality of it subordinates, you may now end
 > up with an empty conjunctive sequence, which is commonly said to be
 > "true", and therefore an "empty" target evaluates to "Match".
 > 
 > If I've got the intent wrong on any of the following please let me know:
 > 
 > So, now, an empty target:
 > 
 > <Target>
 > </Target>
 > 
 > has the same meaning as:
 > 
 > <Target>
 >   <AnySubject/><AnyResource/><AnyAction/><AnyEnvironment/>
 > </Target>
 > 
 > Correct? Therefore, this approach also means that you may have
 > 
 > <Target>
 >    <Resources><Resource>....</Resource></Resources>
 > </Target>
 > 
 > with the resulting applicability predicate concerned with just the listed
 > resources.
 > 
 > This approach is logically consistent, as long as we can agree that
 > 
 > <Target>
 >   <AnySubjects>
 >   <Resources><Resource>....</Resource></Resources>
 >   <AnyAction>
 >   <AnyEnvironment>
 > </Target>
 > 
 > has the same meaning as the <Target> immediately above, and that
 > 
 > <Target>
 >   <Subjects>
 >   </Subjects>
 >   <AnyResource/>
 >   <AnyAction/>
 >   <AnyEvironment/>
 > </Target>
 > 
 > (or any other target with an empty disjunctive subordinate) always
 > evaluates to "No-Match".
 > 
 > I don't know if this is an issue, but we should maintain <AnySubject>, etc
 > for backward compatibility reasons.
 > 
 > Cheers,
 > -Polar
 > 
 > -- 
 > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
 > Sun Microsystems Laboratories
 > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
 > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
 > 
 > 
 > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692