OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Any Subject, Any Resource, Any Action, Any Environment (fwd from Polar)

I think that the way to address this is to define RULE, not Target as a
conjunctive sequence or the subordinate elements - including elements of
the Target and the condition.

Each of the Target elements is logically equivalent to an additional
condition.  I think that we have to have equivalent treatment of the
missing condition and any of the Target element.

And I do not know about you, but <AnyEnvironment> makes me shudder.
What the heck this is supposed to mean?

I strongly agree that we need to make all target elements optional and
get rid of the redundant <Any*> elements, and AnyEnvironment in
particular.
It does not create any inconsistencies.


Daniel.


-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] 
Sent: Friday, January 23, 2004 9:41 AM
To: XACML TC
Subject: [xacml] Any Subject, Any Resource, Any Action, Any Environment
(fwd from Polar)

I think I may have misunderstood the approach before, or just didn't
read
it carefully enough.  So, if I am reading the right document, the change
on the target is that, NOW, the sub-elements of <Target> are OPTIONAL.
Whereas, previously they had been REQUIRED.  Correct? (This diffs I see
do
not seem reflect this change).

<Target> has always been a conjunctive sequence of its subordinate
elements.  Now, due to the optionality of it subordinates, you may now
end
up with an empty conjunctive sequence, which is commonly said to be
"true", and therefore an "empty" target evaluates to "Match".

If I've got the intent wrong on any of the following please let me know:

So, now, an empty target:

<Target>
</Target>

has the same meaning as:

<Target>
  <AnySubject/><AnyResource/><AnyAction/><AnyEnvironment/>
</Target>

Correct? Therefore, this approach also means that you may have

<Target>
   <Resources><Resource>....</Resource></Resources>
</Target>

with the resulting applicability predicate concerned with just the
listed
resources.

This approach is logically consistent, as long as we can agree that

<Target>
  <AnySubjects>
  <Resources><Resource>....</Resource></Resources>
  <AnyAction>
  <AnyEnvironment>
</Target>

has the same meaning as the <Target> immediately above, and that

<Target>
  <Subjects>
  </Subjects>
  <AnyResource/>
  <AnyAction/>
  <AnyEvironment/>
</Target>

(or any other target with an empty disjunctive subordinate) always
evaluates to "No-Match".

I don't know if this is an issue, but we should maintain <AnySubject>,
etc
for backward compatibility reasons.

Cheers,
-Polar

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro
up.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]