OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-dev] Improvements and Additions in XACML 3.0


One of the useful features of the multi-decision capability is the ability to hold some attribute values constant while varying other attribute values. For example, suppose you want to display a menu which contains only the things the current user is allowed to do. You could make a multi-decision request containing constant Subject and Environment Attributes while specifying a number of distinct Resource and Action values which correspond to each menu item. The same pattern can be used for any kind of collection, for example whether a bunch of different users can access the same file, whether a user can do the same thing at different times of day or from different locations, etc. 

As Erik Rissanen pointed out, not only does the multi-decision cut down on the number and size of requests, but a clever PDP can optimize a single multi-decision more effectively than a series of single decisions by reusing partial results, caching attribute values, etc.

Hal 

> -----Original Message-----
> From: Ludwig Seitz [mailto:ludwig@sics.se]
> Sent: Wednesday, August 21, 2013 4:32 AM
> To: Junaid Sarfraz
> Cc: xacml-dev@lists.oasis-open.org
> Subject: Re: [xacml-dev] Improvements and Additions in XACML 3.0
> 
> On Wed, 2013-08-21 at 01:10 -0700, Junaid Sarfraz wrote:
> > Dear xacml-dev,
> >
> >
> > 1- Can you please tell me about what improvements are made in
> > following functions...
> >
> >
> > urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal
> > urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal
> > urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration
> 
> 
> The datatypes changed from
> "http://www.w3.org/TR/2002/WD4110xquery-operators-
> 20020816#dayTimeDuration"
> 
> to
> 
> "http://www.w3.org/2001/XMLSchema#dayTimeDuration”;
> 
> as W3C renamed the identifiers. That's why the function definitions had
> to change
> 
> >
> > 2- And also give me good example of  multiple decision profile in
> > (Request Context).
> 
> Simple example: A subject Alice asks for read and write permissions on
> a file R. The multiple decision request according to section 2.3 of the
> profile would be (simplified identifiers):
> 
> 
> 
> <Request>
>   <Attributes Category="access-subject">
>     <Attribute AttributeId="subject-id">
>        <AttributeValue DataType="string">Alice/AttributeValue>
>     </Attribute>
>   </Attributes>
>   <Attributes Category="resource">
>      <Attribute AttributeId="resource-id">
>         <AttributeValue DataType="string">R</AttributeValue>
>      </Attribute>
>   </Attributes>
>   <Attributes Category="action">
>      <Attribute AttributeId="action-id">
>         <AttributeValue DataType="string">read</AttributeValue>
>      </Attribute>
>   </Attributes>
>   <Attributes Category="action">
>      <Attribute AttributeId="action-id">
>         <AttributeValue DataType="string">write</AttributeValue>
>      </Attribute>
>   </Attributes>
> </Request>
> 
> 
> Hope it helps,
> 
> 
> Ludwig Seitz
> 
> --
> Ludwig Seitz, PhD
> SICS Swedish ICT AB
> Ideon Science Park
> Building Beta 2
> Scheelevägen 17
> SE-223 70 Lund
> 
> Phone +46(0)70-349 92 51
> http://www.sics.se
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]