OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: About XACML Administrative policy draft

Dear XACML CommitteeŁ¬ 
I have some questions on XACML administrative policy to clarify.

1. <Delegates> element is added to <Target>. So the <PolicySet> <Policy> and <Rule> could include it. <IndirectDelegatesCondition> mostly appears in the <Condition> of <Rule>. I think there exist a implicit relation between <Delegates> and <IndirectDelegatesCondtion>. If there doesn't exist <Delegates> in a policy, there shouldn't exist <IndirectDelegatesCondition> in <Rule>. The reason is that <IndirectDelegate>must not be present if the <Delegates> element is not present in context. There is another problem is that how we express any delegate. According to XACML normal logic, not present means any,like subject ,resource. But in the situation,we couldn't construct a request including only indirect delegate without delegate. I remember someone (sorry I forgot his/her name) suggested using <Delegates> <AnyDelegate> </Delegates> to express any delegate in target. I think it maybe solve it.

2. I can't image how to use <IndirectDelegatesCondtion> except in <Condition>. If <IndirectDelegatesCondition>  can be used outside <Condition> of rule, pls give me a simple example and explain it. Thanks.

Best Regards

Li XiaoFeng

Email:xiaofeng03 (at) iscas (dot) cn   lxf (at) is (dot) iscas (dot) ac (dot) cn
Department:LOIS,Institute of Software Chinese Academy of Sciences
Address:4# South Fourth Street, Zhong Guan Cun, Beijing,P.R. CHINA


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]