OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Proposed resolution to MI-1-03: Definition and purpose ofTarget

Based on the March 2002 Face-to-Face, I believe this issue, which
has no champion, is ready to be closed.

Resolution: a <target> element consists of three predicates over
elements in a SAML access decision request: one over Subject, one
over Resource, and one over Action.  Any of these predicates may
be universal in that they may result in "true" for "anySubject",
"anyResource", or "anyAction".

the <target> element in a <rule>, <policyStatement>, or
<policyCombinationStatement> has two purposes.  First, it allows
<rule>s, <policyStatement>s, and <policyCombinationStatement>s to
be indexed based on their applicable subject, resource, and/or
action.  Second, it allows a PDP to quickly and efficiently
reduce the set of <rule>s, <policyStatement>s, and
<policyCombinationStatement>s that must be evaluated in response
to a given access decision request.

These intended purposes place three restrictions on what can be
included in a <target>.  First, the predicates in a <target> must
be very efficient to evaluate.  Second, each predicate in a
<target> must refer to only one of <subject>, <resource>, and
<action> (for indexing purposes).  Third, each predicate in a
<target> must refer only to attributes that will always be
present in a SAML access decision request, since a <target> must
not return a result of "indeterminate".

In a <rule>, the <target> element is logically part of the
<condition> element.  Were indexing and efficiency not a concern,
the tests in the <target> could be incorporated into the
<condition>.  The <target> element serves as the "first pass"
test for whether the rule applies:

    if (<target> == true) {
        if (<condition> == true) {
            return <effect>;
    return <not applicable>;

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC