OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Attribute categories.

I think this is a mistake in the new attribute categories schema.  There 
should be an element corresponding to <Subjects>, <Resources>, ... that 
identifies a category under which the enclosed groupings fall.  Then 
there should be an element corresponding to <Subject>, <Resource>, ... 
that identifies a specific instance of an entity in that category to 
which all the enclosed <Match> elements must apply.

Fixing this mistake will be necessary for backwards compatibility, and 
also to retain functionality for specifying groupings of attributes that 
must apply to a specific entity.

Regards,
Anne

Erik Rissanen wrote On 10/04/06 10:36,:
> All,
> 
> I just noticed that, if I understand this correctly, it not possible to
> write a disjunction in the target with the new attribute categories
> schema. In XACML 2.0 you can write:
> 
> <Target>
>   <Subjects>
>     <Subject>
>        <SubjectMatch MatchId="...equals">
>          <SubjectAttributeDesignator>
>               ...A...
>        </SubjectMatch>
>     </Subject>
>     <Subject>
>        <SubjectMatch MatchId="...equals">
>          <SubjectAttributeDesignator>
>               ...B...
>        </SubjectMatch>
>     </Subject>
>   </Subjects>
> </Target>
> 
> and a request with either subject A or B would match.
> 
> In the new attribute categories schema the Match appears directly below
> Target:
> 
> <Target>
>   <Match MatchId="...equals">
>     <AttributeDesignator Category="Subject">
>        ...A...
>   </Match>
> </Target>
> 
> so it is no longer possible to write a disjunction. Did I understand it
> correctly?
> 
> Regards,
> Erik
> 
> Daniel Engovatov wrote:
> 
>>Attached is a version of the request and policy schemas implementing
>>extensible attribute categories proposal, as we discussed it.
>>I also attached some rendering of the changed schema type.
>>Could this be uploaded somewhere, so that I can link it from wiki and
>>write descriptions for all the changes?
>>
>>Daniel;
>>
>>  
> 
> 
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]