Re: [xacml-dev] RE: [sunxacml-discuss] RE: Use of Xquery with XACML

["Muhammad Masoom Alam" <Muhammad.alam@uibk.ac.at>]

Ok i agreed what u r saying

can u plz have a look on the following rule case :


suppose i have a rule "

A Physician is allowed to check the record of Patient X , if an only if he 
is the Primary care physician of patient X

now Xpath would b


/Physician/PhyID = PhysicianID  // I also wanted to check whether he is a 
valid physician or not.
        AND
/Physician/patients/patID = patientID of patient X   // for the checking 
whether Physician is the primary care physician of the Patient X or not.


This kind of Xpath is not correct as the 2nd condition can be true for any 
Physician who is taking care of the Patient X in addition to Primary care 
Physician
can we introduce some context information like this
Note: where subjectID is the ID of the caller.

"/Hosptial/Physician[phyID='subjectID']/patients/patID/text()"

Regards
Muhammad.

----- Original Message ----- 
From: "diego gonzalez" <diegog@lagash.com>
To: <xacml-dev@lists.oasis-open.org>
Cc: <sunxacml-discuss@lists.sourceforge.net>
Sent: Thursday, December 09, 2004 5:01 PM
Subject: RE: [xacml-dev] RE: [sunxacml-discuss] RE: Use of Xquery with XACML


Totally agree with this. In fact when Xpath is used within the Rules or
Conditions it's implemented as a function. I think there is some
overlaping between RequestContext and the xpath related function,
because both supports searching elements using Xpath, but I don't see
this very confusing. In fact it also allows more information by the time
of processing the policy and also is easy to create context bound xpath.

Regards,
DiegoG

-----Original Message-----
From: Daniel Engovatov [mailto:dengovatov@bea.com]
Sent: Wednesday, December 08, 2004 5:48 PM
To: Muhammad Masoom Alam; xacml-dev@lists.oasis-open.org
Cc: Seth Proctor; sunxacml-discuss@lists.sourceforge.net
Subject: [xacml-dev] RE: [sunxacml-discuss] RE: Use of Xquery with XACML


If you want to extend XACML functions to use XQuery, you will have to do
it yourself.  There is no direct mapping, as XQuery/XPath data model is
not directly compatible with XACML data model.  This is done on purpose
as XACML Data model is designed to accommodate a broader ranger of data
sources then XML.
If you write a custom function that does XQuery or XLST transformation
to return XACML attribute value to be used in a rule, you can pass the
actual query code as a string literal attribute.  You will also need to
address how do you provide prolog data and XQuery context, but this is
completely outside of XACML implementation.
Daniel;


-----Original Message-----
From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at]
Sent: Wednesday, December 08, 2004 11:14 AM
To: Daniel Engovatov; xacml-dev@lists.oasis-open.org
Cc: Seth Proctor; sunxacml-discuss@lists.sourceforge.net
Subject: Re: [sunxacml-discuss] RE: Use of Xquery with XACML

Dear ,

and if the authorization system(PDP)  itself wants to use Xquery to make
a decision for a resource (XML data / or any resource) , where this
Xquery is going to be stored, how Authorization System is going to
reference this Xquery as currently there is no support for Xquery and
very limited support for Xpath as well.

Regards
Muhammad.