Re: [xacml] Attribute categories.

[Anne Anderson - Sun Microsystems <Anne.Anderson@sun.com>]

Hi Daniel,

I did not mean to imply that we would still have <SUBJECTS>, <SUBJECT>, 
..., but that corresponding abstractions are needed: groups of targets 
that fall within a single category, and single instances of a target in 
that category to which multiple matches must apply.

So, building on your example, here is what would be needed, with the 
<Target> itself implying a conjunctive match of the enclosed 
<DisjunctiveMatch> elements:

<Target>
    <DisjunctiveMatch CategoryId="..:a">
       <ConjunctiveMatch>
           <Match> ...</Match>
           <Match> ...</Match>
       </ConjunctiveMatch>
       <ConjunctiveMatch>
           <Match> ...</Match>
           <Match> ...</Match>
       </ConjunctiveMatch>
       <ConjunctiveMatch>
           <Match> ...</Match>
           <Match> ...</Match>
       </ConjunctiveMatch>
    </DisjunctiveMatch>
    <DisjunctiveMatch CategoryId="..:b">
       <ConjunctiveMatch>
           <Match> ...</Match>
           <Match> ...</Match>
       </ConjunctiveMatch>
    </DisjunctiveMatch>
    ...
</Target>

Regards,
Anne

Daniel Engovatov wrote On 10/04/06 13:41,:
> Doh! (...I guess I did not like the existing multiple subject design so
> much that I subconsciously omitted it :) )
> 
> We should add this, but it should be made in some abstract form, for
> example by adding a disjunctive match grouping.  (We can pick up a nice
> name for that element - suggestions?)
> How about something like:
> <Target>
>    <DisjunctiveMatch>
> 	<Match MatchId="...equals">
>        <AttributeDesignator Category="XXX">
>      </Match>
>      <Match MatchId="...equals">
>        <AttributeDesignator Category="XXX">
>      </Match>
>    </DisjunctiveMatch>
>    <Match>...
>    </Match>
> </Target>
> 
> With semantics that anything inside the DisjunctiveMatch  is ORed, and
> the rest is AND.  There is no need to restrict this only to the former
> subject categories.
> That will allow to map existing subject matches into the new schema.
> 
> Daniel;
> 
> -----Original Message-----
> From: Anne Anderson - Sun Microsystems [mailto:Anne.Anderson@sun.com] 
> Sent: Wednesday, October 04, 2006 7:42 AM
> To: xacml@lists.oasis-open.org
> Subject: Re: [xacml] Attribute categories.
> 
> I think this is a mistake in the new attribute categories schema.  There
> 
> should be an element corresponding to <Subjects>, <Resources>, ... that 
> identifies a category under which the enclosed groupings fall.  Then 
> there should be an element corresponding to <Subject>, <Resource>, ... 
> that identifies a specific instance of an entity in that category to 
> which all the enclosed <Match> elements must apply.
> 
> Fixing this mistake will be necessary for backwards compatibility, and 
> also to retain functionality for specifying groupings of attributes that
> 
> must apply to a specific entity.
> 
> Regards,
> Anne
> 
> Erik Rissanen wrote On 10/04/06 10:36,:
> 
>>All,
>>
>>I just noticed that, if I understand this correctly, it not possible
> 
> to
> 
>>write a disjunction in the target with the new attribute categories
>>schema. In XACML 2.0 you can write:
>>
>><Target>
>>  <Subjects>
>>    <Subject>
>>       <SubjectMatch MatchId="...equals">
>>         <SubjectAttributeDesignator>
>>              ...A...
>>       </SubjectMatch>
>>    </Subject>
>>    <Subject>
>>       <SubjectMatch MatchId="...equals">
>>         <SubjectAttributeDesignator>
>>              ...B...
>>       </SubjectMatch>
>>    </Subject>
>>  </Subjects>
>></Target>
>>
>>and a request with either subject A or B would match.
>>
>>In the new attribute categories schema the Match appears directly
> 
> below
> 
>>Target:
>>
>><Target>
>>  <Match MatchId="...equals">
>>    <AttributeDesignator Category="Subject">
>>       ...A...
>>  </Match>
>></Target>
>>
>>so it is no longer possible to write a disjunction. Did I understand
> 
> it
> 
>>correctly?
>>
>>Regards,
>>Erik
>>
>>Daniel Engovatov wrote:
>>
>>
>>>Attached is a version of the request and policy schemas implementing
>>>extensible attribute categories proposal, as we discussed it.
>>>I also attached some rendering of the changed schema type.
>>>Could this be uploaded somewhere, so that I can link it from wiki and
>>>write descriptions for all the changes?
>>>
>>>Daniel;
>>>
>>> 
>>
>>
>>
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692