OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Ammendment to Resolution of MI-1-03,was: RE: [xacml] BATCH #2: E-mail vote to close issues...

Title: Ammendment to Resolution of MI-1-03, was: RE: [xacml] BATCH #2: E-mail vote to close issues...

> MI-1-03: Definition and purpose of Target (Anne)
> Proposed Resolution: a <target> element consists of three
> predicates over elements in a SAML access decision request: one
> over Subject, one over Resource, and one over Action.  Any of
> these predicates may be universal in that they may result in
> "true" for "anySubject", "anyResource", or "anyAction".
> the <target> element in a <rule>, <policyStatement>, or
> <policyCombinationStatement> has two purposes.  First, it allows
> <rule>s, <policyStatement>s, and <policyCombinationStatement>s to
> be indexed based on their applicable subject, resource, and/or
> action.  Second, it allows a PDP to quickly and efficiently
> reduce the set of <rule>s, <policyStatement>s, and
> <policyCombinationStatement>s that must be evaluated in response
> to a given access decision request.
> These intended purposes place three restrictions on what can be
> included in a <target>.  First, the predicates in a <target> must
> be very efficient to evaluate. 

This is what I have a problem with:

>Second, each predicate in a
> <target> must refer to only one of <subject>, <resource>, and
> <action> (for indexing purposes).

I am not sure what this sentence means, but I see two possible interpretations, both of which conflict with what I thought we agreed to at the F2F and elsewhere.

Wrong meaning #1: A target resource (for example) must refer to exactly one actual resource. I see this in part from the refusal to accept my distinction between target mapping and target value.

Wrong meaning #2: A target must contain a choice of subject, resource or action. Certainly a combination of resource and action should be allowed. Although I think subject targeting is infeasible, I recongnize that others do not. Given that, I don't see any reason why you can't have, for example, a RDBMS that treats subject+resource+action as a primary key.

Proposed wording:

Second, each target must contain at most one each of <subject>, <resource> and <action> mapping predicate, which in turn may match multiple actual runtime values.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC