[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Sample policy assertion
All, On today's call I promised to post an example of a SAML XACML policy assertion, to clarify the three categories of policies I am referring to in the message here: http://lists.oasis-open.org/archives/xacml/200902/msg00065.html Here is an example: <saml:Assertion> ... <saml:Statement xsi:type="xacml-saml:XACMLPolicyStatementType"> <xacml:Policy> a policy here .... </xacml:Policy> <xacml:Policy> another policy here .... </xacml:Policy> <xacml:PolicySet> a policy set here .... </xacml:PolicySet> ... <xacml-saml:ReferencedPolicies> <xacml:Policy> a policy here .... </xacml:Policy> <xacml:Policy> another policy here .... </xacml:Policy> <xacml:PolicySet> a policy set here .... </xacml:PolicySet> .... </xacml-saml:ReferencedPolicies> </saml:Statement> </saml:Assertion> Note that we are talking about the definition of the schema of this kind of assertion, so the policy statement is not considered in any particular context here. This assertion could be used in a policy repository, in a PDP for evaluation, as an audit trail, or whatever, and how the policies in the assertion interact with other policies is also undefined. The <ReferencedPolicies> element is used as a possibility to include policies which are referenced inside the policy assertion. It is useful to allow two kinds of policies in the assertion, so it is possible to differentiate between policies which are reachable directly by requests, and those which can only be reached through references. What I wanted to say in the spec is that how policy references are resolved depends on the context in which the assertion is used. I just wanted to point out that there are three categories of policies: - Policies at the "top level" in the XACMLPolicyStatement. - Policies inside the <ReferencedPolicies> element. - Policies outside the assertion. (Such as in a PDP, provided with a SAML XACML authz, in other assertions, or something entirely different.) And I think the spec itself should not limit how a consumer of the assertion would like to resolve references between these categories of policies. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]