OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: syntax for variables and variable references

Hi Tim,
 
Schemas are mods of v2-1 schema from the proposal http://lists.oasis-open.org/archives/xacml/200401/msg00035.html by Michiharu (work iterm 7)
 
Syntax for variables and variable references.
 
Current variable syntax definition needs adjustment to account for the
<condition> element.
 
I think we should allow variables in target matches as well.
(not yet included).
 
Two possible alternatives for variable syntax.
 
Alt a: <-- my preference
------
Drop <condition> element and replace it with the <apply> element.
This makes it easy to create variable def and ref. Note that <condition>
and <apply> are of the same type, so change is 'harmless'.
 
The advantage of this approach is simplicity. There is one element for
variable definition and one element for variable reference.
 
ex 1a: rule with top-level <apply>:
<rule>
<target>...</target>
<apply funcid="string-equal">...</apply>
</rule>
 
ex 2a: variable def is used in top-level apply:
<var-def varid="cond1">
<apply funcid="string-equal">...</apply>
</var-def>
 
<rule>
<target>...</target>
<var-ref varid="cond1"/>
</rule>
 
For the rule to be valid, <var-ref> must resolve into <apply> element.
(which it does). Note that the same variable definition can be reused in
top level <apply> and enclosed <apply> elements.
 
Alt b:
-------
Keep <condition> element. In addition to existing <variable-def> and
<variable-ref> elements create <cond-var-def> and <cond-var-ref> elements.
Then <cond-var-ref> is allowed as an alternative to <condition> in a rule.
 
In addition to having more syntactic elements, disadvantage of this approach
is that <cond-var-def> can not be reused for <variable-def>.
 
ex 1b: The same as 2a but variable is defined for condition:
 
<cond-def varid="cond1">
<cond funcid="string-equal">...</cond>
</var-def>
 
<rule>
<target>...</target>
<cond-ref varid="cond1"/>
</rule>
 
Syntactic detail.
-----------------
Variable is defined with the <VariableDef> element. Type of the variable
defined by <VariableDef> is determined by the type of enclosed expression.
Name of the variable defined by <VariableDef> is the value of VariableId
attribute of type xs:string.
 
(By derivation from the apply-core-type) Variable definition can be applied to
any combination of <apply>, <function>, <attr-value>, <subj-attr-desig>,
<res-attr-desig>, <act-attr-desig>, <env-attr-desig>, <attr-sel>,
and <var-ref> elements.
 
<xs:element name="VariableDef" type="xacml:VariableDefType"/>
<xs:complexType name="VariableDefType">
<xs:complexContent>
<xs:extension base="xacml:ApplyCoreType">
<xs:attribute name="VariableId" type="xs:string" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
 
VariableId - required. This is variable name.
 
Variable is dereferenced with the <VariableRef> element. Variable name
is defined by the value of VariableId attribute of type xs:string.
 
<xs:element name="VariableRef" type="xacml:VariableRefType"/>
<xs:complexType name="VariableRefType">
<xs:attribute name="VariableId" type="xs:string"/>
</xs:complexType>
 
VariableId - required. This is variable name. Must resolve to named variable
definition.
 
Alternative (a):
------------------------
Rule schema:
<xs:complexType name="RuleType">
<xs:sequence>
<xs:element ref="xacml:Description" minOccurs="0"/>
<xs:element ref="xacml:Target" minOccurs="0"/>
<xs:choice>
<xs:element ref="xacml:Apply"/> <-- change: <cond> replaced with <apply>
<xs:element ref="xacml:VariableRef"/> <-- new: variable ref
</xs:choice>
</xs:sequence>
<xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
<xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
</xs:complexType>
 
For the rule to be valid, <VariableRef> must resolve into <apply> element.
 
Sequence of <VariableDef> elements is included as a child of <Policy>
element following <PolicyDefaults> element.
 
Alternative (b).
------------------------------
Rule schema:
<xs:complexType name="RuleType">
<xs:sequence>
<xs:element ref="xacml:Description" minOccurs="0"/>
<xs:element ref="xacml:Target" minOccurs="0"/>
<xs:choice>
<xs:element ref="xacml:Condition"/>
<xs:element ref="xacml:CondVarRef"/> <-- new: condition var reference
</xs:choice>
</xs:sequence>
<xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
<xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
</xs:complexType>
 
<CondVarDef> defines condition variable. Condition variable can be used
only for conditions.
 
<xs:element name="CondVarDef" type="xacml:CondVarDefType"/>
<xs:complexType name="CondVarDefType">
<xs:sequence>
<xs:element ref="xacml:Condition"/>
</xs:sequence>
<xs:attribute name="VariableId" type="xs:string" use="required"/>
</xs:complexType>
 
VariableId is a name of condition variable.
 
Condition variable reference is of <VariableRefType>:
<xs:element name="CondVarRef" type="xacml:VariableRefType"/>
 
Condition variable reference must resolve to named condition variable.
 
Sequence of choices between <VariableDef> and <CondVarDef> elements is
included as a child of <Policy> element following <PolicyDefaults> element.
Simon
 
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xacml="urn:oasis:names:tc:xacml:1.0:policy" elementFormDefault="qualified" attributeFormDefault="unqualified">
	<!-- -->
	<xs:element name="PolicySet" type="xacml:PolicySetType"/>
	<xs:complexType name="PolicySetType">
		<xs:sequence>
			<xs:element ref="xacml:Description" minOccurs="0"/>
			<xs:element ref="xacml:PolicySetDefaults" minOccurs="0"/>
			<xs:element ref="xacml:Target"/>
			<xs:choice minOccurs="0" maxOccurs="unbounded">
				<xs:element ref="xacml:PolicySet"/>
				<xs:element ref="xacml:Policy"/>
				<xs:element ref="xacml:PolicySetIdReference"/>
				<xs:element ref="xacml:PolicyIdReference"/>
			</xs:choice>
			<xs:element ref="xacml:Obligations" minOccurs="0"/>
		</xs:sequence>
		<xs:attribute name="PolicySetId" type="xs:anyURI" use="required"/>
		<xs:attribute name="PolicyCombiningAlgId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="PolicySetIdReference" type="xs:anyURI"/>
	<xs:element name="PolicyIdReference" type="xs:anyURI"/>
	<!-- -->
	<xs:element name="PolicySetDefaults" type="xacml:DefaultsType"/>
	<xs:element name="PolicyDefaults" type="xacml:DefaultsType"/>
	<xs:complexType name="DefaultsType">
		<xs:sequence>
			<xs:choice>
				<xs:element ref="xacml:XPathVersion"/>
			</xs:choice>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="XPathVersion" type="xs:anyURI"/>
	<!-- -->
	<xs:element name="Policy" type="xacml:PolicyType"/>
	<xs:complexType name="PolicyType">
		<xs:sequence>
			<xs:element ref="xacml:Description" minOccurs="0"/>
			<xs:element ref="xacml:PolicyDefaults" minOccurs="0"/>
			<xs:choice minOccurs="0" maxOccurs="unbounded">
				<xs:element ref="xacml:VariableDef"/>
				<xs:element ref="xacml:CondVarDef"/>
			</xs:choice>
			<xs:element ref="xacml:Target"/>
			<xs:element ref="xacml:Rule" minOccurs="0" maxOccurs="unbounded"/>
			<xs:element ref="xacml:Obligations" minOccurs="0"/>
		</xs:sequence>
		<xs:attribute name="PolicyId" type="xs:anyURI" use="required"/>
		<xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<xs:element name="Description" type="xs:string"/>
	<!-- -->
	<xs:element name="Rule" type="xacml:RuleType"/>
	<xs:complexType name="RuleType">
		<xs:sequence>
			<xs:element ref="xacml:Description" minOccurs="0"/>
			<xs:element ref="xacml:Target" minOccurs="0"/>
			<xs:choice>
				<xs:element ref="xacml:Condition"/>
				<xs:element ref="xacml:CondVarRef"/>
				<!--xs:element ref="xacml:VariableRef"/-->
			</xs:choice>
			<!--
			<xs:element ref="xacml:Condition" minOccurs="0"/>
			-->
		</xs:sequence>
		<xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
		<xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:simpleType name="EffectType">
		<xs:restriction base="xs:string">
			<xs:enumeration value="Permit"/>
			<xs:enumeration value="Deny"/>
		</xs:restriction>
	</xs:simpleType>
	<!-- -->
	<xs:element name="Target" type="xacml:TargetType"/>
	<xs:complexType name="TargetType">
		<xs:sequence>
			<xs:element ref="xacml:Subjects"/>
			<xs:element ref="xacml:Resources"/>
			<xs:element ref="xacml:Actions"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="Subjects" type="xacml:SubjectsType"/>
	<xs:complexType name="SubjectsType">
		<xs:choice>
			<xs:element ref="xacml:Subject" maxOccurs="unbounded"/>
			<xs:element ref="xacml:AnySubject"/>
		</xs:choice>
	</xs:complexType>
	<!-- -->
	<xs:element name="Subject" type="xacml:SubjectType"/>
	<xs:complexType name="SubjectType">
		<xs:sequence>
			<xs:element ref="xacml:SubjectMatch" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="AnySubject"/>
	<!-- -->
	<xs:element name="Resources" type="xacml:ResourcesType"/>
	<xs:complexType name="ResourcesType">
		<xs:choice>
			<xs:element ref="xacml:Resource" maxOccurs="unbounded"/>
			<xs:element ref="xacml:AnyResource"/>
		</xs:choice>
	</xs:complexType>
	<!-- -->
	<xs:element name="AnyResource"/>
	<!-- -->
	<xs:element name="Resource" type="xacml:ResourceType"/>
	<xs:complexType name="ResourceType">
		<xs:sequence>
			<xs:element ref="xacml:ResourceMatch" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="Actions" type="xacml:ActionsType"/>
	<xs:complexType name="ActionsType">
		<xs:choice>
			<xs:element ref="xacml:Action" maxOccurs="unbounded"/>
			<xs:element ref="xacml:AnyAction"/>
		</xs:choice>
	</xs:complexType>
	<!-- -->
	<xs:element name="AnyAction"/>
	<!-- -->
	<xs:element name="Action" type="xacml:ActionType"/>
	<xs:complexType name="ActionType">
		<xs:sequence>
			<xs:element ref="xacml:ActionMatch" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="SubjectMatch" type="xacml:SubjectMatchType"/>
	<xs:complexType name="SubjectMatchType">
		<xs:sequence>
			<xs:element ref="xacml:AttributeValue"/>
			<xs:choice>
				<xs:element ref="xacml:SubjectAttributeDesignator"/>
				<xs:element ref="xacml:AttributeSelector"/>
			</xs:choice>
		</xs:sequence>
		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="ResourceMatch" type="xacml:ResourceMatchType"/>
	<xs:complexType name="ResourceMatchType">
		<xs:sequence>
			<xs:element ref="xacml:AttributeValue"/>
			<xs:choice>
				<xs:element ref="xacml:ResourceAttributeDesignator"/>
				<xs:element ref="xacml:AttributeSelector"/>
			</xs:choice>
		</xs:sequence>
		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="ActionMatch" type="xacml:ActionMatchType"/>
	<xs:complexType name="ActionMatchType">
		<xs:sequence>
			<xs:element ref="xacml:AttributeValue"/>
			<xs:choice>
				<xs:element ref="xacml:ActionAttributeDesignator"/>
				<xs:element ref="xacml:AttributeSelector"/>
			</xs:choice>
		</xs:sequence>
		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="AttributeSelector" type="xacml:AttributeSelectorType"/>
	<xs:complexType name="AttributeSelectorType">
		<xs:attribute name="RequestContextPath" type="xs:string" use="required"/>
		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
		<xs:attribute name="MustBePresent" type="xs:boolean" use="optional" default="false"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="ResourceAttributeDesignator" type="xacml:AttributeDesignatorType"/>
	<xs:element name="ActionAttributeDesignator" type="xacml:AttributeDesignatorType"/>
	<xs:element name="EnvironmentAttributeDesignator" type="xacml:AttributeDesignatorType"/>
	<!-- -->
	<xs:complexType name="AttributeDesignatorType">
		<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
		<xs:attribute name="Issuer" type="xs:string" use="optional"/>
		<xs:attribute name="MustBePresent" type="xs:boolean" use="optional" default="false"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="SubjectAttributeDesignator" type="xacml:SubjectAttributeDesignatorType"/>
	<xs:complexType name="SubjectAttributeDesignatorType">
		<xs:complexContent>
			<xs:extension base="xacml:AttributeDesignatorType">
				<xs:attribute name="SubjectCategory" type="xs:anyURI" use="optional" default="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="AttributeValue" type="xacml:AttributeValueType"/>
	<xs:complexType name="AttributeValueType" mixed="true">
		<xs:sequence>
			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
		</xs:sequence>
		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
		<xs:anyAttribute namespace="##any" processContents="lax"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="Function" type="xacml:FunctionType"/>
	<xs:complexType name="FunctionType">
		<xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="Apply" type="xacml:ApplyType"/>
	<xs:element name="Condition" type="xacml:ApplyType"/>
	<!-- -->
	<xs:complexType name="ApplyType">
		<xs:complexContent>
			<xs:extension base="xacml:ApplyCoreType">
				<xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:complexType name="ApplyCoreType">
		<xs:choice minOccurs="0" maxOccurs="unbounded">
			<xs:element ref="xacml:Apply"/>
			<xs:element ref="xacml:Function"/>
			<xs:element ref="xacml:AttributeValue"/>
			<xs:element ref="xacml:SubjectAttributeDesignator"/>
			<xs:element ref="xacml:ResourceAttributeDesignator"/>
			<xs:element ref="xacml:ActionAttributeDesignator"/>
			<xs:element ref="xacml:EnvironmentAttributeDesignator"/>
			<xs:element ref="xacml:AttributeSelector"/>
			<xs:element ref="xacml:VariableRef"/>
		</xs:choice>
		<!-- Legal types for the first and subsequent operands are defined in the accompanying table -->
	</xs:complexType>
	<!-- -->
	<xs:element name="Obligations" type="xacml:ObligationsType"/>
	<xs:complexType name="ObligationsType">
		<xs:sequence>
			<xs:element ref="xacml:Obligation" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="Obligation" type="xacml:ObligationType"/>
	<xs:complexType name="ObligationType">
		<xs:sequence>
			<xs:element ref="xacml:AttributeAssignment" maxOccurs="unbounded"/>
		</xs:sequence>
		<xs:attribute name="ObligationId" type="xs:anyURI" use="required"/>
		<xs:attribute name="FulfillOn" type="xacml:EffectType" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="AttributeAssignment" type="xacml:AttributeAssignmentType"/>
	<xs:complexType name="AttributeAssignmentType" mixed="true">
		<xs:complexContent mixed="true">
			<xs:extension base="xacml:AttributeValueType">
				<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="VariableDef" type="xacml:VariableDefType"/>
	<xs:complexType name="VariableDefType">
		<xs:complexContent>
			<xs:extension base="xacml:ApplyCoreType">
				<xs:attribute name="VariableId" type="xs:string" use="required"/>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="VariableRef" type="xacml:VariableRefType"/>
	<xs:complexType name="VariableRefType">
		<xs:attribute name="VariableId" type="xs:string"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="CondVarDef" type="xacml:CondVarDefType"/>
	<xs:complexType name="CondVarDefType">
		<xs:sequence>
			<xs:element ref="xacml:Condition"/>
		</xs:sequence>
		<xs:attribute name="VariableId" type="xs:string" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="CondVarRef" type="xacml:VariableRefType"/>
	<!-- -->
</xs:schema>

<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xacml="urn:oasis:names:tc:xacml:1.0:policy" elementFormDefault="qualified" attributeFormDefault="unqualified">
	<!-- -->
	<xs:element name="PolicySet" type="xacml:PolicySetType"/>
	<xs:complexType name="PolicySetType">
		<xs:sequence>
			<xs:element ref="xacml:Description" minOccurs="0"/>
			<xs:element ref="xacml:PolicySetDefaults" minOccurs="0"/>
			<xs:element ref="xacml:Target"/>
			<xs:choice minOccurs="0" maxOccurs="unbounded">
				<xs:element ref="xacml:PolicySet"/>
				<xs:element ref="xacml:Policy"/>
				<xs:element ref="xacml:PolicySetIdReference"/>
				<xs:element ref="xacml:PolicyIdReference"/>
			</xs:choice>
			<xs:element ref="xacml:Obligations" minOccurs="0"/>
		</xs:sequence>
		<xs:attribute name="PolicySetId" type="xs:anyURI" use="required"/>
		<xs:attribute name="PolicyCombiningAlgId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="PolicySetIdReference" type="xs:anyURI"/>
	<xs:element name="PolicyIdReference" type="xs:anyURI"/>
	<!-- -->
	<xs:element name="PolicySetDefaults" type="xacml:DefaultsType"/>
	<xs:element name="PolicyDefaults" type="xacml:DefaultsType"/>
	<xs:complexType name="DefaultsType">
		<xs:sequence>
			<xs:choice>
				<xs:element ref="xacml:XPathVersion"/>
			</xs:choice>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="XPathVersion" type="xs:anyURI"/>
	<!-- -->
	<xs:element name="Policy" type="xacml:PolicyType"/>
	<xs:complexType name="PolicyType">
		<xs:sequence>
			<xs:element ref="xacml:Description" minOccurs="0"/>
			<xs:element ref="xacml:PolicyDefaults" minOccurs="0"/>
			<xs:element ref="xacml:VariableDef" minOccurs="0" maxOccurs="unbounded"/>
			<xs:element ref="xacml:Target"/>
			<xs:element ref="xacml:Rule" minOccurs="0" maxOccurs="unbounded"/>
			<xs:element ref="xacml:Obligations" minOccurs="0"/>
		</xs:sequence>
		<xs:attribute name="PolicyId" type="xs:anyURI" use="required"/>
		<xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<xs:element name="Description" type="xs:string"/>
	<!-- -->
	<xs:element name="Rule" type="xacml:RuleType"/>
	<xs:complexType name="RuleType">
		<xs:sequence>
			<xs:element ref="xacml:Description" minOccurs="0"/>
			<xs:element ref="xacml:Target" minOccurs="0"/>
			<xs:choice>
				<xs:element ref="xacml:Apply"/>
				<xs:element ref="xacml:VariableRef"/>
				<!--xs:element ref="xacml:Condition"/-->
			</xs:choice>
			<!--
			<xs:element ref="xacml:Condition" minOccurs="0"/>
			-->
		</xs:sequence>
		<xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
		<xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:simpleType name="EffectType">
		<xs:restriction base="xs:string">
			<xs:enumeration value="Permit"/>
			<xs:enumeration value="Deny"/>
		</xs:restriction>
	</xs:simpleType>
	<!-- -->
	<xs:element name="Target" type="xacml:TargetType"/>
	<xs:complexType name="TargetType">
		<xs:sequence>
			<xs:element ref="xacml:Subjects"/>
			<xs:element ref="xacml:Resources"/>
			<xs:element ref="xacml:Actions"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="Subjects" type="xacml:SubjectsType"/>
	<xs:complexType name="SubjectsType">
		<xs:choice>
			<xs:element ref="xacml:Subject" maxOccurs="unbounded"/>
			<xs:element ref="xacml:AnySubject"/>
		</xs:choice>
	</xs:complexType>
	<!-- -->
	<xs:element name="Subject" type="xacml:SubjectType"/>
	<xs:complexType name="SubjectType">
		<xs:sequence>
			<xs:element ref="xacml:SubjectMatch" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="AnySubject"/>
	<!-- -->
	<xs:element name="Resources" type="xacml:ResourcesType"/>
	<xs:complexType name="ResourcesType">
		<xs:choice>
			<xs:element ref="xacml:Resource" maxOccurs="unbounded"/>
			<xs:element ref="xacml:AnyResource"/>
		</xs:choice>
	</xs:complexType>
	<!-- -->
	<xs:element name="AnyResource"/>
	<!-- -->
	<xs:element name="Resource" type="xacml:ResourceType"/>
	<xs:complexType name="ResourceType">
		<xs:sequence>
			<xs:element ref="xacml:ResourceMatch" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="Actions" type="xacml:ActionsType"/>
	<xs:complexType name="ActionsType">
		<xs:choice>
			<xs:element ref="xacml:Action" maxOccurs="unbounded"/>
			<xs:element ref="xacml:AnyAction"/>
		</xs:choice>
	</xs:complexType>
	<!-- -->
	<xs:element name="AnyAction"/>
	<!-- -->
	<xs:element name="Action" type="xacml:ActionType"/>
	<xs:complexType name="ActionType">
		<xs:sequence>
			<xs:element ref="xacml:ActionMatch" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="SubjectMatch" type="xacml:SubjectMatchType"/>
	<xs:complexType name="SubjectMatchType">
		<xs:sequence>
			<xs:choice>
				<xs:element ref="xacml:AttributeValue"/>
			</xs:choice>
			<xs:choice>
				<xs:element ref="xacml:SubjectAttributeDesignator"/>
				<xs:element ref="xacml:AttributeSelector"/>
			</xs:choice>
		</xs:sequence>
		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="ResourceMatch" type="xacml:ResourceMatchType"/>
	<xs:complexType name="ResourceMatchType">
		<xs:sequence>
			<xs:element ref="xacml:AttributeValue"/>
			<xs:choice>
				<xs:element ref="xacml:ResourceAttributeDesignator"/>
				<xs:element ref="xacml:AttributeSelector"/>
			</xs:choice>
		</xs:sequence>
		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="ActionMatch" type="xacml:ActionMatchType"/>
	<xs:complexType name="ActionMatchType">
		<xs:sequence>
			<xs:element ref="xacml:AttributeValue"/>
			<xs:choice>
				<xs:element ref="xacml:ActionAttributeDesignator"/>
				<xs:element ref="xacml:AttributeSelector"/>
			</xs:choice>
		</xs:sequence>
		<xs:attribute name="MatchId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="AttributeSelector" type="xacml:AttributeSelectorType"/>
	<xs:complexType name="AttributeSelectorType">
		<xs:attribute name="RequestContextPath" type="xs:string" use="required"/>
		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
		<xs:attribute name="MustBePresent" type="xs:boolean" use="optional" default="false"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="ResourceAttributeDesignator" type="xacml:AttributeDesignatorType"/>
	<xs:element name="ActionAttributeDesignator" type="xacml:AttributeDesignatorType"/>
	<xs:element name="EnvironmentAttributeDesignator" type="xacml:AttributeDesignatorType"/>
	<!-- -->
	<xs:complexType name="AttributeDesignatorType">
		<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
		<xs:attribute name="Issuer" type="xs:string" use="optional"/>
		<xs:attribute name="MustBePresent" type="xs:boolean" use="optional" default="false"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="SubjectAttributeDesignator" type="xacml:SubjectAttributeDesignatorType"/>
	<xs:complexType name="SubjectAttributeDesignatorType">
		<xs:complexContent>
			<xs:extension base="xacml:AttributeDesignatorType">
				<xs:attribute name="SubjectCategory" type="xs:anyURI" use="optional" default="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="AttributeValue" type="xacml:AttributeValueType"/>
	<xs:complexType name="AttributeValueType" mixed="true">
		<xs:sequence>
			<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
		</xs:sequence>
		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
		<xs:anyAttribute namespace="##any" processContents="lax"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="Function" type="xacml:FunctionType"/>
	<xs:complexType name="FunctionType">
		<xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="Apply" type="xacml:ApplyType"/>
	<!--xs:element name="Condition" type="xacml:ApplyType"/-->
	<!-- -->
	<xs:complexType name="ApplyType">
		<xs:complexContent>
			<xs:extension base="xacml:ApplyCoreType">
				<xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:complexType name="ApplyCoreType">
		<xs:choice minOccurs="0" maxOccurs="unbounded">
			<xs:element ref="xacml:Apply"/>
			<xs:element ref="xacml:Function"/>
			<xs:element ref="xacml:AttributeValue"/>
			<xs:element ref="xacml:SubjectAttributeDesignator"/>
			<xs:element ref="xacml:ResourceAttributeDesignator"/>
			<xs:element ref="xacml:ActionAttributeDesignator"/>
			<xs:element ref="xacml:EnvironmentAttributeDesignator"/>
			<xs:element ref="xacml:AttributeSelector"/>
			<xs:element ref="xacml:VariableRef"/>
		</xs:choice>
		<!-- Legal types for the first and subsequent operands are defined in the accompanying table -->
	</xs:complexType>
	<!-- -->
	<xs:element name="Obligations" type="xacml:ObligationsType"/>
	<xs:complexType name="ObligationsType">
		<xs:sequence>
			<xs:element ref="xacml:Obligation" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="Obligation" type="xacml:ObligationType"/>
	<xs:complexType name="ObligationType">
		<xs:sequence>
			<xs:element ref="xacml:AttributeAssignment" maxOccurs="unbounded"/>
		</xs:sequence>
		<xs:attribute name="ObligationId" type="xs:anyURI" use="required"/>
		<xs:attribute name="FulfillOn" type="xacml:EffectType" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="AttributeAssignment" type="xacml:AttributeAssignmentType"/>
	<xs:complexType name="AttributeAssignmentType" mixed="true">
		<xs:complexContent mixed="true">
			<xs:extension base="xacml:AttributeValueType">
				<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="VariableDef" type="xacml:VariableDefType"/>
	<xs:complexType name="VariableDefType">
		<xs:complexContent>
			<xs:extension base="xacml:ApplyCoreType">
				<xs:attribute name="VariableId" type="xs:string" use="required"/>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="VariableRef" type="xacml:VariableRefType"/>
	<xs:complexType name="VariableRefType">
		<xs:attribute name="VariableId" type="xs:string"/>
	</xs:complexType>
	<!-- -->
</xs:schema>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]