OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml-comment] Comment on condition element

I'm sorry we did not respond to you earlier.  I hope this
answers your questions.


On 10 December, David Sutton writes: [xacml-comment] Comment on condition element
 > A rule may hold both a target and a condition, but
 > 631 The <Target> element may be absent from a <Rule>.  In this case, the
 > <Rule> inherits its target
 > 632  from the parent <Policy> element.
 > A policy may hold a target but is not permitted to hold a condition.
 > Why is a condition not permitted at the policy (or policy set) level?

A "policy" or "policy set" is simply a structure for aggregating
rules, along with information about how to resolve conflicts
between the results of the rules.

If you want a condition at the policy or policy set level,
include a rule.

 > If a policy target is intended to server the function of a rule target in
 > the absence of a target in the rule then why can a policy level condition
 > not also be allowed?

There may be many rules that apply to the same target, so we
allowed a rule to inherit the policy target rather than having to
repeat the target in each rule.

 > An example where this would be useful is if policy objects are identified
 > with roles. In this context there is an over-arching policy-wide reqirement
 > that the subject be a member of the associated role. This would probably
 > need to be described as a condition - and most conveniently as a policy
 > level condition. However this is not possible in the current specification.

You could make the role requirement part of the target of of the

Anne Anderson
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC