OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Section B.6 - Resource attributes

Anne - OK.  Too easy.  I'll drop document-id.  I'll have to modify Example
2, because it uses document-id.  Here is the text that I'll use in Draft 13.
All the best.  Tim.


These identifiers indicate attributes of the resource.  The corresponding
attributes MAY appear in the <Resource> element of the request context and
be accessed by means of a <ResourceAttributeDesignator> element, or by an
<AttributeSelector> element that points into the <Resource> element of the
request context.
This attribute identifies the resource to which access is requested.  If an
<xacml-context:ResourceContent> element is provided, then the resource to
which access is requested SHALL be all or a portion of the resource supplied
in the <xacml-context:ResourceContent> element.
urn:oasis:names:tc:xacml:1.0:resource:resource-id
This attribute identifies the namespace of the top element of the contents
of the <xacml-context:ResourceContent> element.  In the case where the
resource content is supplied in the request context and the resource
namespace is defined in the resource, the PDP SHALL confirm that the
namespace defined by this attribute is the same as that defined in the
resource.  The type of the corresponding attribute SHALL be
"http://www.w3.org/2001/XMLSchema#anyURI";.
urn:oasis:names:tc:xacml:2.0:resource:target-namespace




-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] 
Sent: Tuesday, July 27, 2004 12:10 PM
To: Tim Moses
Cc: 'XACML'
Subject: RE: [xacml] Section B.6 - Resource attributes


On 27 July, Tim Moses writes: RE: [xacml] Section B.6 - Resource attributes
> 1. "In the former case, the attribute identifier SHALL appear in the  >
ResourceAttributeDesignator> element."  > 
 > I only included this sentence as a counterpart to the earlier sentence:
"The  > corresponding attributes MAY appear in the <Resource> element of the
request  > context".  You are right; it's redundant.  I'll take it out.  > 
 > 2. OK.  I'll remove any restriction on the type of resource-id.  > 
 > 3. I'll drop the xpath attribute.
 > 
 > 4. I'll add the document-id attribute.  Can we say anything about this  >
attribute and what it might contain?

The document-id attribute is defined in the Hierarchical Resources Profile.
It will be included in Section 6 "New attribute identifiers for hierarchical
resources", but is currently only defined Section 3.1 "Notes in an XML
document" after the "Additional attributes MAY be included ..." paragraph.

I don't know if we want to define this also in the core XACML spec.

 > How about this? ...
 > 
 > Draft 13
 > 
 > These identifiers indicate attributes of the resource.  The corresponding
> attributes MAY appear in the <Resource> element of the request context and
> be accessed by means of a <ResourceAttributeDesignator> element, or by an
> <AttributeSelector> element that points into the <Resource> element of the
> request context.  > This attribute identifies the contents of the  >
<xacml-context:ResourceContent> element.  >
urn:oasis:names:tc:xacml:1.0:resource:document-id

The Hierarchical resources profile says the following:

  The <AttributeValue> of this <Attribute> SHALL be a URI that
  identifies the XML document of which the requested resource is
  a part.  This <Attribute> MAY specify an Issuer.

If you also define document-id in the core spec, then I think it should
mention that the DataType SHALL be &xml;anyURI.

 > This attribute identifies the resource to which access is requested.
Note:  > the resource to which access is requested may not be the same as
the  > resource supplied in the <xacml-context:ResourceContent> element.

I think I would say something like, "If an <xacml-context:ResourceContent>
element is provided, then the resource to which access is requested SHALL be
all or a portion of the resource supplied in the
<xacml-context:ResourceContent> element."

Anne

 > urn:oasis:names:tc:xacml:1.0:resource:resource-id
 > This attribute identifies the namespace of the top element of the
contents  > of the <xacml-context:ResourceContent> element.  In the case
where the  > resource content is supplied in the request context and the
resource  > namespace is defined in the resource, the PDP SHALL confirm that
the  > namespace defined by this attribute is the same as that defined in
the  > resource.  The type of the corresponding attribute SHALL be  >
"http://www.w3.org/2001/XMLSchema#anyURI";.
 > urn:oasis:names:tc:xacml:2.0:resource:target-namespace
 > 
 > 
 > 
 > 
 > -----Original Message-----
 > From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] 
 > Sent: Tuesday, July 27, 2004 11:26 AM
 > To: Tim Moses
 > Cc: 'XACML'
 > Subject: Re: [xacml] Section B.6 - Resource attributes
 > 
 > 
 > On 27 July, Tim Moses writes: [xacml] Section B.6 - Resource attributes
>  > Colleagues - Some proposed changes to Section B.6.  Any comments?  All
the  > > best.  Tim.  > 
 >  > Draft 13
 >  > 
 >  > These identifiers indicate attributes of the resource.  The
corresponding  > > attributes MAY appear in the <Resource> element of the
request context and  > > be accessed by means of a
<ResourceAttributeDesignator> element, or by an  > > <AttributeSelector>
element that points into the <Resource> element of the  > > request context.
In the former case, the attribute identifier SHALL  > appear  > in the
<ResourceAttributeDesignator> element.  > 
 > I don't understand why the last sentence is needed.  If the attribute is
in  > the <Resource> element and is accessed by means of a  >
<ResourceAttributeDesignator> element, doesn't that mean the attribute  >
identifier must by definition appear in the <ResourceAttributeDesignator>  >
element?  > 
 >  > This identifier indicates the URI of the resource.  The type of the  >
> corresponding attribute SHALL be
"http://www.w3.org/2001/XMLSchema#anyURI";.
 >  > urn:oasis:names:tc:xacml:1.0:resource:resource-id
 > 
 > The Hierarchical Resource Profile for XML resources proposes that the  >
DataType of the resource-id be "xpath-expression", identifying the specific
> node of the resource that is being requested.  In this case, the optional
> "document-id" resource Attribute can be used to hold the URI of the entire
> XML document.  > 
 > I think Daniel also objected to forcing resource-id to be a URI. Or maybe
it  > was just a URI conforming to my proposed hierarchical URI scheme :-)
> 
 > So is there a reason resource-id must be a URI?
 > 
 >  > This identifier indicates the name-space of the top element of the  >
resource.  > In the case where the resource content is supplied in the  >
request context  > and the resource namespace is defined in the resource,  >
the PDP SHALL confirm  > that the namespace defined by this attribute is the
> same as that defined in  > the resource.  The type of the corresponding  >
attribute SHALL be  > "http://www.w3.org/2001/XMLSchema#anyURI";.
 >  > urn:oasis:names:tc:xacml:2.0:resource:target-namespace
 > 
 >  > This identifier indicates an xpath expression whose context node is
the  > > <xacml-context:Request> element.  This attribute SHALL only appear
in the  > > <ResourceAttributeDesignator> element.  The type of the
corresponding  >  > attribute SHALL be  >  >
"urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression".
 >  > urn:oasis:names:tc:xacml:2.0:resource:xpath
 > 
 > I proposed that we drop the "xpath" Attribute, since there is no need for
it  > with the Hierarchical Resource Profile. "resource-id" in that case
will  > contain the xpath expression pointing to the requested node.  > 
 > Note that the reason for putting the xpath-expression pointing to the  >
requested node into the "resource-id" Attribute is so that the Response  >
<Result> ResourceId XML attribute can copy the resource-id Attribute and  >
have it be an unambiguous reference to the node to which the <Result>  >
corresponds.  > 
 > Anne
 > -- 
 > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
 > Sun Microsystems Laboratories
 > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
 > Burlington, MA 01803-0902 USA  Fax: 781/442-1692

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]