[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Attribute categories.
Daniel, Anne, All,
My colleague Ludwig Seitz has tried out the new attribute categories and
he agrees with Daniel on the quoted discussion. Here is his explanation
of his opinion in his own words:
I think Daniel is right about not limiting DisjunctiveMatch to a single
category. I have a nice example where it won't work:
Imagine you want to collect all policies for a resource 'foo' in one
PolicySet.
In the old XACML 3.0 (somewhate simplified notation) you could do
something
like this:
<PolicySet>
<Target>
<Resources>
<Resource>
<ResourceMatch>
<AttributeValue>foo</AttributeValue>
<AttributeDesignator/>
</ResourceMatch>
<Resource>
</Resource>
</Target>
<Policy> ... </Policy>
.
.
.
</PolicySet>
With Anne's proposal this would translate to something like this:
<PolicySet>
<Target>
<DisjunctiveMatch CategoryId="Resource">
<ConjunctiveMatch>
<Match>
<AttributeValue>foo</AttributeValue>
<AttributeDesignator Category="Resource"/>
</Match>
</ConjunctiveMatch>
<DisjunctiveMatch>
</Target>
<Policy> ... </Policy>
.
.
.
</PolicySet>
With the new Delegation model, administrative requests will look
like this for the 'foo' resource:
<Request>
<Attributes Category="DelegatedResource">
foo
</Attributes>
<Attributes Category="Delegate">
...
</Attributes>
</Request
Which means they would not match the target of the above PolicySet
anymore.
In order to make the above construction work like it did before,
we need to be able to do something like this:
<PolicySet>
<Target>
<DisjunctiveMatch>
<ConjunctiveMatch>
<Match>
<AttributeValue>foo</AttributeValue>
<AttributeDesignator Category="Resource"/>
</Match>
</ConjunctiveMatch>
<ConjunctiveMatch>
<Match>
<AttributeValue>foo</AttributeValue>
<AttributeDesignator Category="DelegatedResource"/>
</Match>
</ConjunctiveMatch>
<DisjunctiveMatch>
</Target>
<Policy> ... </Policy>
.
.
.
</PolicySet>
I think the above construct is quite common and I would therefore
support
Daniel's suggestion not to limit DisjunctiveMatch to a single category.
Daniel Engovatov wrote:
>I am not sure about limiting DisjunctiveMatch to a single category:
>Subjects will be in different categories, and there is no strong reason
>to limit this. We will be basically adding some basic Boolean logic to
>match combinations - we could actually make it fully generic and add
>nesting <AND> and <OR> operations on the <MATCH>, but that would
>probably be a bit of an overkill, so keeping it to one level should be
>OK.
>I would rather keep it in the simplest possible form that allows mapping
>of the old Subject - let's discuss it during the next call.
>
>Daniel;
>
>
>-----Original Message-----
>From: Anne Anderson - Sun Microsystems [mailto:Anne.Anderson@sun.com]
>Sent: Wednesday, October 04, 2006 12:20 PM
>To: xacml@lists.oasis-open.org
>Subject: Re: [xacml] Attribute categories.
>
>Hi Daniel,
>
>I did not mean to imply that we would still have <SUBJECTS>, <SUBJECT>,
>..., but that corresponding abstractions are needed: groups of targets
>that fall within a single category, and single instances of a target in
>that category to which multiple matches must apply.
>
>So, building on your example, here is what would be needed, with the
><Target> itself implying a conjunctive match of the enclosed
><DisjunctiveMatch> elements:
>
><Target>
> <DisjunctiveMatch CategoryId="..:a">
> <ConjunctiveMatch>
> <Match> ...</Match>
> <Match> ...</Match>
> </ConjunctiveMatch>
> <ConjunctiveMatch>
> <Match> ...</Match>
> <Match> ...</Match>
> </ConjunctiveMatch>
> <ConjunctiveMatch>
> <Match> ...</Match>
> <Match> ...</Match>
> </ConjunctiveMatch>
> </DisjunctiveMatch>
> <DisjunctiveMatch CategoryId="..:b">
> <ConjunctiveMatch>
> <Match> ...</Match>
> <Match> ...</Match>
> </ConjunctiveMatch>
> </DisjunctiveMatch>
> ...
></Target>
>
>Regards,
>Anne
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]