OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: New draft of Hierarchical Resources

A new draft of the specification sections pertaining to
Hierarchical Resources is attached, both in PDF and MSWord
forms.

Summary
- A new "xpath-expression" DataType is defined.  It is a string
  that is to be evaluated as an XPath expression.

- I removed attributes for "simple-file-name" and "ufs-path"
  because files are now represented as "file:" URIs in a Request
  Context.  Using either of these Attributes would prevent
  policies intended to apply to those files from applying, since
  the policies would be written in terms of URIs and not simple
  names or paths.

- I removed the "xpath" attribute because ultimately, the
  "resource-id" attribute will have to contain the XPath
  expression.  With the new "xpath-expression" DataType, there is
  no ambiguity about how to interpret "resource-id" in this case.

- I created a new section for describing how to request multiple
  resources in one Request Context.  This is separate from the
  Hierarchical Resources section because the multiple resources
  requested need not be hierarchical.  There are three ways:
  "resource-id" Attribute containing XPath expression that
  evaluates to multiple nodes, "scope" Attribute, and multiple
  <Resource> elements.  In each case, these representations are
  not evaluated by the PDP and are not visible to policies; they
  are always resolved to a sequence of Request Contexts, each of
  which specifies exactly one of the requested resources in its
  "resource-id" Attribute.  There is always one <Result> element
  returned for each resource that is requested.

- <ResourceContent> is required if the requested resource is a
  node in an XML document.

- Any given resource type must always be represented as an XML
  document or never represented as an XML document. This is
  because policies written to apply to its XML representation
  would not apply if it appeared in a Request in the other
  representation, and vice versa.

- The "resource-parent" and "resource-ancestor" Attributes MUST
  be available in the Request Context for any type of
  hierarchical resource.  This allows simple predicates that can
  do basic checks without having to support XPath.  [Thank you,
  Daniel]

- No new functions were needed.  "xpath-node-match" is sufficient
  for XML resources, and our existing set, bag, and Higher Order
  bag functions, along with our existing match functions, are
  sufficient for other types of resources.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

Hierarchical Resources draft, pdf format

Hierarchical Resources draft, MSWord format

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]