[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] proposal for identifying optional features
More mods (I should have said "environment attribute", not "environment variable"). But again, I'm not positive this is something we have to implement. There are other things in XACML that depend on the PDP implementation, such as attribute finder modules, policy finder modules, etc. I don't think we want to create something new to define all of these. I guess I recommend that all this be handled out-of-band. I doubt that a given Request will depend on profiles anyway, although a Policy or PolicySet might. Each profile, and each optional feature in a profile, SHALL be associated with a URI. [and each optional feature in XACML itself?] There SHALL be a new, optional "SupportedProfiles" policy element, to consist of a sequence of anyURI. If an XACML implementation supports profiles, these SHALL be included in the "SupportedProfiles" policy element. This element SHALL be optional, but SHALL be included if any profiles are supported. If a Request depends on profiles, the Request SHALL include a new "...:supported-profiles" Attribute, whose DataType is the schema complex type defined for the new "SupportedProfiles" policy element. The value of this Attribute SHALL include the URIs of all profiles or profile options that are required to support the given request. The documentation for an XACML implementation SHALL include the profiles and profile options it supports. If a PDP receives a Policy, PolicySet, or Request that requires profiles or profile options that the PDP does not support, the PDP SHALL treat this condition as an error. For a request, the response SHALL include an error code of "...". Anne > >Why wouldn't we use just use a URI ? > >Minor changes on your proposal: > >All compliant XACML implementations MUST declare which profiles they >support this can an optional element that can be included in a polic >y to >list the required URIs. For a request, we could just define an envir >onment >variable to hold the list of required URIs. The format of the varia >ble >could be the same as the format of the optional element. A context h >andler >could be aware of >that variable. We also need to define error codes or other behavior >if a >PDP does not support required options. > > > >Anthony Nadalin | work 512.838.0085 | cell 512.289.4122 > > > > > Anne Anderson > > <Anne.Anderson@Su > > n.COM> > To > XACML TC > > 06/22/2004 09:55 <xacml@lists.oasis-open.org> > > AM > cc > Anne.Anderson@Sun.COM > > Su >bject > Please respond to [xacml] proposal for identifyi >ng > Anne.Anderson optional features > > > > > > > > > > > > > > > > > >Tony suggested we have some way of identifying which optional >features or profiles a given implementation supports, or that a given >request or policy requires. > >We have survived without this through XACML 1.0 and 1.1, but if >we decide it is worth doing, here is a proposal. > >create a urn for each profile or separate optional feature >(e.g. obligations, xpath). Create an optional element that can be >included in a policy to list the required urn's. For a request, I th >ink >we could just define an environment variable to hold the list of >required urn's. The format of the variable could be the same as the >format of the optional element. A context handler could be aware of >that variable. We also need to define error codes or other behavior >if >a PDP does not support required options. We need to decide whether >supporting the "optional support" feature is itself optional! > >Anne >-- >Anne H. Anderson Email: Anne.Anderson@Sun.COM >Sun Microsystems Laboratories >1 Network Drive,UBUR02-311 Tel: 781/442-0928 >Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > >To unsubscribe from this mailing list (and be removed from the roster > of >the OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_work >group.php >. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]