RE: [xacml] Section B.6 - Resource attributes

[Tim Moses <tim.moses@entrust.com>]

Thanks Anne

1. "In the former case, the attribute identifier SHALL appear in the
ResourceAttributeDesignator> element."

I only included this sentence as a counterpart to the earlier sentence: "The
corresponding attributes MAY appear in the <Resource> element of the request
context".  You are right; it's redundant.  I'll take it out.

2. OK.  I'll remove any restriction on the type of resource-id.

3. I'll drop the xpath attribute.

4. I'll add the document-id attribute.  Can we say anything about this
attribute and what it might contain?

How about this? ...

Draft 13

These identifiers indicate attributes of the resource.  The corresponding
attributes MAY appear in the <Resource> element of the request context and
be accessed by means of a <ResourceAttributeDesignator> element, or by an
<AttributeSelector> element that points into the <Resource> element of the
request context.
This attribute identifies the contents of the
<xacml-context:ResourceContent> element.
urn:oasis:names:tc:xacml:1.0:resource:document-id
This attribute identifies the resource to which access is requested.  Note:
the resource to which access is requested may not be the same as the
resource supplied in the <xacml-context:ResourceContent> element.
urn:oasis:names:tc:xacml:1.0:resource:resource-id
This attribute identifies the namespace of the top element of the contents
of the <xacml-context:ResourceContent> element.  In the case where the
resource content is supplied in the request context and the resource
namespace is defined in the resource, the PDP SHALL confirm that the
namespace defined by this attribute is the same as that defined in the
resource.  The type of the corresponding attribute SHALL be
"http://www.w3.org/2001/XMLSchema#anyURI";.
urn:oasis:names:tc:xacml:2.0:resource:target-namespace




-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] 
Sent: Tuesday, July 27, 2004 11:26 AM
To: Tim Moses
Cc: 'XACML'
Subject: Re: [xacml] Section B.6 - Resource attributes


On 27 July, Tim Moses writes: [xacml] Section B.6 - Resource attributes  >
Colleagues - Some proposed changes to Section B.6.  Any comments?  All the
> best.  Tim.  > 
 > Draft 13
 > 
 > These identifiers indicate attributes of the resource.  The corresponding
> attributes MAY appear in the <Resource> element of the request context and
> be accessed by means of a <ResourceAttributeDesignator> element, or by an
> <AttributeSelector> element that points into the <Resource> element of the
> request context.  In the former case, the attribute identifier SHALL
appear  > in the <ResourceAttributeDesignator> element.

I don't understand why the last sentence is needed.  If the attribute is in
the <Resource> element and is accessed by means of a
<ResourceAttributeDesignator> element, doesn't that mean the attribute
identifier must by definition appear in the <ResourceAttributeDesignator>
element?

 > This identifier indicates the URI of the resource.  The type of the  >
corresponding attribute SHALL be "http://www.w3.org/2001/XMLSchema#anyURI";.
 > urn:oasis:names:tc:xacml:1.0:resource:resource-id

The Hierarchical Resource Profile for XML resources proposes that the
DataType of the resource-id be "xpath-expression", identifying the specific
node of the resource that is being requested.  In this case, the optional
"document-id" resource Attribute can be used to hold the URI of the entire
XML document.

I think Daniel also objected to forcing resource-id to be a URI. Or maybe it
was just a URI conforming to my proposed hierarchical URI scheme :-)

So is there a reason resource-id must be a URI?

 > This identifier indicates the name-space of the top element of the
resource.  > In the case where the resource content is supplied in the
request context  > and the resource namespace is defined in the resource,
the PDP SHALL confirm  > that the namespace defined by this attribute is the
same as that defined in  > the resource.  The type of the corresponding
attribute SHALL be  > "http://www.w3.org/2001/XMLSchema#anyURI";.
 > urn:oasis:names:tc:xacml:2.0:resource:target-namespace

 > This identifier indicates an xpath expression whose context node is the
> <xacml-context:Request> element.  This attribute SHALL only appear in the
> <ResourceAttributeDesignator> element.  The type of the corresponding  >
attribute SHALL be  >
"urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression".
 > urn:oasis:names:tc:xacml:2.0:resource:xpath

I proposed that we drop the "xpath" Attribute, since there is no need for it
with the Hierarchical Resource Profile. "resource-id" in that case will
contain the xpath expression pointing to the requested node.

Note that the reason for putting the xpath-expression pointing to the
requested node into the "resource-id" Attribute is so that the Response
<Result> ResourceId XML attribute can copy the resource-id Attribute and
have it be an unambiguous reference to the node to which the <Result>
corresponds.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692