Re: [xacml] Section B.6 - Resource attributes

[Anne Anderson <Anne.Anderson@Sun.COM>]

On 27 July, Tim Moses writes: [xacml] Section B.6 - Resource attributes
 > Colleagues - Some proposed changes to Section B.6.  Any comments?  All the
 > best.  Tim.
 > 
 > Draft 13
 > 
 > These identifiers indicate attributes of the resource.  The corresponding
 > attributes MAY appear in the <Resource> element of the request context and
 > be accessed by means of a <ResourceAttributeDesignator> element, or by an
 > <AttributeSelector> element that points into the <Resource> element of the
 > request context.  In the former case, the attribute identifier SHALL appear
 > in the <ResourceAttributeDesignator> element.

I don't understand why the last sentence is needed.  If the
attribute is in the <Resource> element and is accessed by means
of a <ResourceAttributeDesignator> element, doesn't that mean the
attribute identifier must by definition appear in the
<ResourceAttributeDesignator> element?

 > This identifier indicates the URI of the resource.  The type of the
 > corresponding attribute SHALL be "http://www.w3.org/2001/XMLSchema#anyURI";.
 > urn:oasis:names:tc:xacml:1.0:resource:resource-id

The Hierarchical Resource Profile for XML resources proposes that
the DataType of the resource-id be "xpath-expression",
identifying the specific node of the resource that is being
requested.  In this case, the optional "document-id" resource
Attribute can be used to hold the URI of the entire XML document.

I think Daniel also objected to forcing resource-id to be a URI.
Or maybe it was just a URI conforming to my proposed hierarchical
URI scheme :-)

So is there a reason resource-id must be a URI?

 > This identifier indicates the name-space of the top element of the resource.
 > In the case where the resource content is supplied in the request context
 > and the resource namespace is defined in the resource, the PDP SHALL confirm
 > that the namespace defined by this attribute is the same as that defined in
 > the resource.  The type of the corresponding attribute SHALL be
 > "http://www.w3.org/2001/XMLSchema#anyURI";.
 > urn:oasis:names:tc:xacml:2.0:resource:target-namespace

 > This identifier indicates an xpath expression whose context node is the
 > <xacml-context:Request> element.  This attribute SHALL only appear in the
 > <ResourceAttributeDesignator> element.  The type of the corresponding
 > attribute SHALL be
 > "urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression".
 > urn:oasis:names:tc:xacml:2.0:resource:xpath

I proposed that we drop the "xpath" Attribute, since there is no
need for it with the Hierarchical Resource Profile.
"resource-id" in that case will contain the xpath expression
pointing to the requested node.

Note that the reason for putting the xpath-expression pointing to
the requested node into the "resource-id" Attribute is so that
the Response <Result> ResourceId XML attribute can copy the
resource-id Attribute and have it be an unambiguous reference to
the node to which the <Result> corresponds.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692