OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Updated policy template wiki



Hi Danny,

On 21/09/2012 4:25 AM, Danny Thorpe wrote:
I’ve updated the policy template wiki (https://wiki.oasis-open.org/xacml/Policy%20Template%20Profile) with
text about required Match expression rewriting in parameter substitution and optional use of
AttributeDesignators and AttributeSelectors in Parameter data in dynamic policy template reduction
implementations.

With regard to the Match expression rewriting, the Match element is already,
of necessity, a child of an AllOf element that is a child of an AnyOf element.
In the general case there may be other Match element children of the AllOf
element and other AllOf children of the AnyOf element. It seems to me that
the rewriting rule should be to create a duplicate of the AllOf element (with
all of its Match children) for each parameter value, substituting the parameter
in the particular Match element being expanded with the corresponding parameter
value. The resulting AllOf elements would replace the original AllOf element
that contains the Match element with the parameter being expanded. Apart from
having its list of AllOf children expanded, the AnyOf element would be
unchanged.

If an AllOf element contained multiple child Match elements with parameters,
then the effect would be to take the cross-product of the sets of parameter
values.

This assumes that the desired effect is a disjunction of the parameter values.
If a conjunction is desired, then the Match element would be duplicated
within the single AllOf element that contains it, with each duplicate taking
a different parameter value. The AllOf element and its parent AnyOf element
would otherwise be unchanged.

Incidentally, I find the terminology section confusing. Policy template instance
and policy template data seem to be the same thing and are used interchangeably.

Regards,
Steven


-Danny

*Danny Thorpe *

Product Architect | | *Quest Software*- /Now including the people and products of BiTKOO/ | www.quest.com
<http://www.quest.com>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]