OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] hierarchical node id datatype

Thanks Paul for the feedback,

I agree that there is no reason to limit it to URIs and the profile 
should work with any data type, like for regular resource ids.

I am posting this to the TC list for discussion there.

Best regards,
Erik


Tyson, Paul H wrote:
> In the 3.0 draft hierarchical profile of 7 November 2008:
>
> Data type for non-XML node ids (section 2.2) is required to be anyURI.
> While this might be useful to support some xpath-like operations, it
> seems to be overspecified for the basic use case of testing to see if
> one resource is an "ancestor" of another.  A string data type would work
> as well.
>
> Consider a resource-id "r1", used in two places in a hierarchy:
>
> 	http://example.com/path/to/one/r1
> 	http://example.com/path/to/another/r1
>
> I have a rule that says "permit if resource has ancestor 'path'".
>
> My context handler can supply a bag of resource-ancestor attribute
> values ["one","another","to","path"] for resource-id "r1".  But
> according to the draft spec I would have to write the rule:
>
> 	permit if 'http://example.com/path' anyURI-equal
> resource-ancestor
>
> and the context handler would have to supply URI values like
> 'http://example.com/path', 'http://example.com/path/to', etc.
>
> In other contexts, values like 'path', 'to', etc. would be the actual
> resource-id values for these resources.  It would be convenient to use
> these values directly as the values of 'resource-parent',
> 'resource-ancestor', and 'resource-ancestor-or-self'.  This would not
> interfere with any existing functionality provided by the hierarchical
> profile, because they would be distinguished by a different datatype.
>
> Please consider relaxing the anyURI datatype requirement for non-XML
> 'resource-parent', 'resource-ancestor', and 'resource-ancestor-or-self'
> attribute values in the hierarchical profile.  This would also allow
> policies to use other appropriate comparators besides anyURI-equal and
> regexp-uri-match.
>
> --Paul Tyson
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]