xacml message

Subject: Ammendment to Resolution of MI-1-03,was: RE: [xacml] BATCH #2: E-mail vote to close issues...

From: Hal Lockhart <hal.lockhart@entegrity.com>
To: 'Carlisle Adams' <carlisle.adams@entrust.com>,"'xacml@lists.oasis-open.org'" <xacml@lists.oasis-open.org>,"'Anne.Anderson@Sun.com'" <Anne.Anderson@Sun.com>
Date: Wed, 10 Apr 2002 10:36:51 -0400

Title: Ammendment to Resolution of MI-1-03, was: RE: [xacml] BATCH #2: E-mail vote to close issues...

> MI-1-03: Definition and purpose of Target (Anne)
> Proposed Resolution: a <target> element consists of three
> predicates over elements in a SAML access decision request: one
> over Subject, one over Resource, and one over Action. Any of
> these predicates may be universal in that they may result in
> "true" for "anySubject", "anyResource", or "anyAction".
> the <target> element in a <rule>, <policyStatement>, or
> <policyCombinationStatement> has two purposes. First, it allows
> <rule>s, <policyStatement>s, and <policyCombinationStatement>s to
> be indexed based on their applicable subject, resource, and/or
> action. Second, it allows a PDP to quickly and efficiently
> reduce the set of <rule>s, <policyStatement>s, and
> <policyCombinationStatement>s that must be evaluated in response
> to a given access decision request.

> These intended purposes place three restrictions on what can be
> included in a <target>. First, the predicates in a <target> must
> be very efficient to evaluate.

This is what I have a problem with:

>Second, each predicate in a
> <target> must refer to only one of <subject>, <resource>, and
> <action> (for indexing purposes).

I am not sure what this sentence means, but I see two possible interpretations, both of which conflict with what I thought we agreed to at the F2F and elsewhere.

Wrong meaning #1: A target resource (for example) must refer to exactly one actual resource. I see this in part from the refusal to accept my distinction between target mapping and target value.

Wrong meaning #2: A target must contain a choice of subject, resource or action. Certainly a combination of resource and action should be allowed. Although I think subject targeting is infeasible, I recongnize that others do not. Given that, I don't see any reason why you can't have, for example, a RDBMS that treats subject+resource+action as a primary key.

Proposed wording:

Second, each target must contain at most one each of <subject>, <resource> and <action> mapping predicate, which in turn may match multiple actual runtime values.

Hal