OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Sample policy assertion

All,

On today's call I promised to post an example of a SAML XACML policy 
assertion, to clarify the three categories of policies I am referring to 
in the message here:

http://lists.oasis-open.org/archives/xacml/200902/msg00065.html

Here is an example:

<saml:Assertion>
  ...
  <saml:Statement xsi:type="xacml-saml:XACMLPolicyStatementType">
    <xacml:Policy> a policy here .... </xacml:Policy>
    <xacml:Policy> another policy here .... </xacml:Policy>
    <xacml:PolicySet> a policy set here .... </xacml:PolicySet>
    ...
    <xacml-saml:ReferencedPolicies>
      <xacml:Policy> a policy here .... </xacml:Policy>
      <xacml:Policy> another policy here .... </xacml:Policy>
      <xacml:PolicySet> a policy set here .... </xacml:PolicySet>
      ....
    </xacml-saml:ReferencedPolicies>
  </saml:Statement>
</saml:Assertion>

Note that we are talking about the definition of the schema of this kind 
of assertion, so the policy statement is not considered in any 
particular context here. This assertion could be used in a policy 
repository, in a PDP for evaluation, as an audit trail, or whatever, and 
how the policies in the assertion interact with other policies is also 
undefined.

The <ReferencedPolicies> element is used as a possibility to include 
policies which are referenced inside the policy assertion. It is useful 
to allow two kinds of policies in the assertion, so it is possible to 
differentiate between policies which are reachable directly by requests, 
and those which can only be reached through references.

What I wanted to say in the spec is that how policy references are 
resolved depends on the context in which the assertion is used. I just 
wanted to point out that there are three categories of policies:

- Policies at the "top level" in the XACMLPolicyStatement.

- Policies inside the <ReferencedPolicies> element.

- Policies outside the assertion. (Such as in a PDP, provided with a 
SAML XACML authz, in other assertions, or something entirely different.)

And I think the spec itself should not limit how a consumer of the 
assertion would like to resolve references between these categories of 
policies.

Best regards,
Erik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]