Re: [xacml] three questions: string-not-equal & valid FulfillOn attribut

xacml message

Subject: Re: [xacml] three questions: string-not-equal & valid FulfillOn attributevalues& placement of variableDefintions

From: Erik Rissanen <erik@axiomatics.com>

To: xacml@lists.oasis-open.org

Date: Mon, 30 May 2011 18:35:35 +0200

Hi Jan,

On second thought, I don't think the string-not-equals would be useful. It won't do what you want in a target in case of multiple values. The target would match if at least one of the values in the request causes string-not-equal to return true. That's not what you would want to.

So you would need to use a condition.

Best regards,
Erik

On 05/30/2011 05:14 PM, Erik Rissanen wrote:

4DE3B446.4070809@axiomatics.com" type="cite"> Hi Jan,

See inline.

On 2011-05-30 16:38, Jan Herrmann wrote:
ABD756A3EE1A4144BAA186C7B4379F46@lapschlichter55" type="cite">

Hi all,

three little questions:

1. Would it not be useful to allow a sting-not-equal Match-function?

Yes, it would since it's not possible to use a "not" function in a target. However, my opinion is that the fault is not that there is no string-not-equal function, but the problem is that one cannot use a condition in a policy or policy set. There are lots of cases where one has to use weird constructs to work around that, and your case is just one such example.

ABD756A3EE1A4144BAA186C7B4379F46@lapschlichter55" type="cite">

2. Is there a reason why one can not define an ObligationExpression with a FulfillOn=”Indeterminate” value?

Maybe someone from the XACML 1.0 era here could respond better, but it seems a bit weird to put enforcement actions in an error, meaning that we don't even know whether a policy applied or not. I don't have done a formal analysis of a the matter though.

ABD756A3EE1A4144BAA186C7B4379F46@lapschlichter55" type="cite">

3. Why do VariableDefinitions have to be bound to a <Policy> element and not to e.g. the root <PolicySet> element?

Again, others would know better, but I guess this was simply a design choice. I guess since conditions can appear only in rules, the need for variable definitions was most urgent in a Policy. Of course, now AttributeAssignmentExpression changes that.

Best regards,
Erik

ABD756A3EE1A4144BAA186C7B4379F46@lapschlichter55" type="cite">

Best Regards
Jan

--

Jan Herrmann

Dipl.-Inform., Dipl.-Geogr.

Scientific Assistant

Chair for Applied Informatics / Cooperative Systems

Technische Universität München

Boltzmannstr. 3

85748 Garching

Germany

T: +49 89 289 18692

F: +49 89 289 18657

W: www11.in.tum.de