[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: samlp:XACMLPolicyQuery Target element
In case of any confusion, the Subject of the previous e-mail should have been xacml-samlp:XACMLPolicyQuery Target element. -Anne Anne Anderson wrote: > Colleagues, > > Currently, in the SAML 2.0 Profile of XACML 2.0, an XACMLPolicyQuery > element is used by a PDP to request policies from an on-line Policy > Administration Point. There policies to be returned are specified using > one or more of the following elements: > ---------------------Taken from XACML 2.0 Profile------------> > <xacml-context:Request> [Any Number] > Supplies an XACML Request Context. All XACML <xacml:Policy> and > <xacml:PolicySet> instances applicable to this Request SHALL be > returned. The concept of “applicability” in the XACML context is > defined in the XACML 2.0 Specification [XACML]. > > <xacml:Target> [Any Number] > Supplies an XACML <xacml:Target> instance. All XACML <xacml:Policy> and > <xacml:PolicySet> instances applicable to this <Target> SHALL be returned. > > <xacml:PolicySetIdReference> [Any Number] > Identifies an XACML <xacml:PolicySet> instance to be returned. > > <xacml:PolicyIdReference> [Any Number] > Identifies an XACML <xacml:Policy> instance to be returned. > > If the <xacml-samlp:XACMLPolicyQuery> contains no element instances, > then the Policy Administration Point SHOULD return all policies that are > authorized and appropriate for use by the requester. > <--------------------End of extract from XACML 2.0 Profile--------- > > There is a potential problem with use of the <xacml:Target> element, > because we do not specify how to determine *policies* that are > "applicable" to a Target. > > Here are some possible options for dealing with this: > > 1. Say something like "Return all Policy and PolicySet instances that > are applicable to any Request to which this Target is applicable. The > means for determining such policies is unspecified." > > 2. Say "Return all Policy and PolicySet instances whose top-level Target > exactly matches this Target. The matching algorithm is unspecified." > > 3. Remove this element from the XACMLPolicyQuery. > > I recommend #3. > > Regards, > Anne -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]