Hello All,
Generally agree w what's been said.
Further clarification may come from section 2.6:
"2.6 Multi-valued attributes 344
The most common techniques for communicating attributes (LDAP,
XPath, SAML, etc.)
support multiple values per attribute.
Therefore, when an XACML PDP retrieves the value of a named
attribute,
the result may contain multiple values.
A collection of such values is called a bag.
A bag differs from a set in that it may contain duplicate values,
whereas a set may not.
Sometimes this situation represents an error.
Sometimes the XACML rule is satisfied if any one of the attribute
values
meets the criteria expressed in the rule.
XACML provides a set of functions that allow a policy writer
to be absolutely clear
about how the PDP should handle the case of multiple
attribute values.
These are the “higher-order” functions (see Section 352 A.3)."
So, effectively, the function defns implicitly define the
capabilities.
Note: from my experience on the TC a lot of time and care has been
given to the definitions of functionality in the spec, and as a
result
the definitions should be taken quite literally from a logical
perspective. In addition, implementation efforts have tested this
logic, and when inconsistencies have occurred, they have been
raised as issues and corrected.
Thanks,
Rich
On 8/22/2015 5:16 PM, Cyril DANGERVILLE
wrote:
Hello,
thanks Steven for your answer.
For the record, I also noticed a XACML 2.0 conformance test
that confirms your answer to the second point, with an
example. I assume the same holds true for XACML 3.0. This is
test #24 in section A of section G on the XACML 2.0
conformance tests page [1]. Indeed, in the associated test
request [2], the subject-id <Attribute> occurs twice:
...
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Julius Hibbert</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Zaphod Beedlebrox</AttributeValue>
</Attribute>
...
</Subject>
...
In the test policy [3], the description of the rule
'urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA024:rule3'
reads (content omitted):
[...] (ERROR in passing multi-valued bag to one-and-only function) INDETERMINATE
The Apply with the one-and-only function that the
description refers to:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
So the conformance test is expecting an error because of a bag
with too many values (two in this case) for the subject-id.
There might be other examples of such things in the
conformance tests. I have not checked thoroughly, far from it.
Regards,
Cyril
--
Thanks, Rich
Rich Levinson | Internet Standards Security
Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803
Oracle is committed to developing practices
and products that help protect the environment
|