OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Policy Template Profile Examples

Steven,

You are absolutely correct. This target specification contribute to the "policy by reference" profile (https://wiki.oasis-open.org/xacml/Policy%20Reference%20Profile), which is orthogonal to the current discussion on policy templates. I will remove this from any further example to avoid confusion and allow to concentrate in one topic at a time.

Jean-Paul

-----Original Message-----
From: Steven Legg [mailto:steven.legg@viewds.com] 
Sent: Thursday, October 11, 2012 05:35
To: Jean-Paul Buu-Sao
Cc: XACML-TC-mailinglist
Subject: Policy Template Profile Examples


Jean-Paul,

What purpose does the target in the policy in section 1 of the Policy Template Profile Examples serve ?

   <Target>
     <AnyOf>
       <AllOf>
         <Match
          MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
           <AttributeValue
            DataType="http://www.w3.org/2001/XMLSchema#string";>urn:curtiss:ba:taa:taa-1.1</AttributeValue>
           <AttributeDesignator
            MustBePresent="true"
            Category="urn:oasis:names:tc:xacml:1.0:resource:policy-id"
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:policy-id"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
         </Match>
       </AllOf>
     </AnyOf>
   </Target>

It is testing whether the policy-id XACML attribute is equal to the PolicyId XML attribute of the containing policy.

In order for this policy to be considered in the evaluation of an authorization request, the authorization request would have to include "urn:curtiss:ba:taa:taa-1.1"
as a value of this policy-id XACML attribute. Or in other words, the PEP has to predict which policies are going to be evaluated to satisfy its authorization request before it makes its request (it pretty much has to work out the answer before it asks the question!). That's daft, so I've disregarded the targets as a mistake. However, their continued presence may be contributing to the confusion around the Policy Template Profile. I believe this target, and every other target in the examples, should be wiped clean and the PolicyIdOnResource parameter removed. Do you agree ?

Regards,
Steven

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]