[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: new issue: PolicyIdentifierList scope and order
Hi all, When I first saw PolicyIdentifierList in a v3 working draft, I assumed it included PolicySets as well as Policies. But now that I read cd-1 section 5.49 closely, I see it only mentions policies. My use case requires an ordered list consisting of 0 or more PolicySet ids and 1 Policy id that were successfully evaluated to return the decision. But I don't see that PolicyIdentifierList will provide this, as currently specified. I propose that PolicyIdentifierList be specified as an ordered list of PolicySet and Policy ids that were successfully evaluated to reach the decision. Each item in the list would have the Policy[Set] id and version, as currently specified. Further specification might be necessary for PolicySets, to avoid ambiguity in the case where two or more children were evaluated successfully. In this case, the final id should be the id of the policyset whose policy-combining-algorithm resulted in the decision that was returned. I have not analyzed this much, and we do not use exotic combining algorithms, so more analysis is required. It might be possible to use <PolicySetIdReference> and <PolicyIdReference> in this list, instead of creating new element types. In this context the EarliestVersion and LatestVersion attributes have no meaning. If the IdReferenceType element types are used, the definition of PolicyIdentifierList would be: <xs:element name="PolicyIdentifierList" type="xacml:PolicyIdentifierListType"/> <xs:complexType name="PolicyIdentifierListType"> <xs:choice minOccurs="1" maxOccurs="unbounded"> <xs:element ref="xacml:PolicySetIdReference"/> <xs:element ref="xacml:PolicyIdReference" /> </xs:choice> </xs:complexType> Section 5.50 and the <PolicyIdentifier> element could be deleted. Regards, --Paul
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]