OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml-comment] XACML Context

Some thoughts on the XACML context.
1.  Would it be possible to restrict both the context and the policy to known attributes, these attributes being defined separately, so that the policy does not contain details of how to retrieve attributes.  The advantage of this approach is that it defines the attributes available to the policy writers and creates an abstraction layer between the policy and the source of the attributes.  If the location of the attribute changes, the policy does not, additionally the policy looks a lot cleaner and does not require AttributeSelectors.  The main driver for this is to simplify the policies and make them easier to write.  Most organizations will define the attributes at the beginning and they will largely remain fixed, so separating attribute details from policy has major benefits.
2.  When mapping from SAML to XACML context we feel that the SAML attribute assertions should be converted to XACML attribute definitions.  One of the purposes of the context is to shield XACML from external formats, but that is not really achieved here and the attributes have to be accessed through AttributeSelectors.
Our thoughts on this were that it would be simpler if the context had an evidence element to contain additional attributes.
Non subject SAML attributes are placed in the Evidence section and can then be accessed via AttributeDesignators.  It may be appropriate to add attributes retrieved by the PIP to this section as well, so that the policy always addresses the context to obtain attribute values.
John Howard

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC