[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] predicates and predicate expr wihtin context
Predicates and predicate expressions with
context.
The only issue we have to clarify is the use of
attributes and
attribute designators in predicates and predicate expressions. saml:Attribute will be replaced with
xacml:Attribute. That's all that
needs to be done for attributes. Attribute designators require a little more work,
because attribute
designator has to be explicit where it is pointing to. 1) One way to do explicit pointing, is to have
distinct element declarations
for subject-attribute-designator, resource-attribute-designator, and other-attribute-designator. Each of these designators will implicitely point to different portions of request context. Advantage: simplicity. 2) Another way to do pointing is to declare one
attribute-designator
element but include additional '@kind' attribute in it's type with values (subject|resource|other). It is also simple, but I think (1) is better xml. 3) Have 'selector' element that will use arbitrary
xpath expression to point
into the context. My preference is to have both (1) (simplicity) and
(3) (flexibility).
Here is a simplified version of xacml attribute
designator:
<xs:complexType
name="AttributeDesignatorType"> (4)
<xs:sequence> <xs:element ref="xacml:Holder" minOccurs="0"/> <xs:sequence> <xs:attribute name="AttributeName" type="xs:string"/> <xs:attribute name="AttributeFamily" type="xs:string"/> </xs:complexType> Schema for (1): Separate designator
declarations
<element name="SubjectAttributeDesignator" type="xacml:AttributeDesignator"/> <element name="ResourceAttributeDesignator" type="xacml:AttributeDesignator"/> <element name="OtherAttributeDesignator" type="xacml:AttributeDesignator"/> Use:
<Rule Ruleid="urn:rule1"> .... <Conditions> <greater> <SubjectAttributeDesignator AttributeName="RequestedMembershipLevel" AttributeFamily="www.oasis-open.org/catalyst2002/attributes"/> <SubjectAttributeDesignator AttributeName="MembershipLevel" AttributeFamily="www.oasis-open.org/catalyst2002/attributes"/> </greater> </Conditions> </xacml:Rule> Schema for (2): @kind attribute in designator - (4)
extended with 1 attr
<compexType name="AttributeDesignator"> ... <attribute name="kind" type="xacml:AttributeDesignatorKindType"/> </complexType> Use:
<Rule Ruleid="urn:rule1"> .... <Conditions> <greater> <AttributeDesignator kind="subject" AttributeName="RequestedMembershipLevel" AttributeFamily="www.oasis-open.org/catalyst2002/attributes"/> <AttributeDesignator kind="subject" AttributeName="MembershipLevel" AttributeFamily="www.oasis-open.org/catalyst2002/attributes"/> </greater> </Conditions> </xacml:Rule> Schema for (3): 'selector' with
xpath
<complexType name="AttributeSelector"> <simpleContent> <extension base="xs:string"/> </simpleContent> </complexType> Use:
<Rule Ruleid="urn:rule1"> ... <Conditions> <greater> <AttributeSelector xmlns:x="www.oasis-open.org/xacml"> /x:RequestContext/x:ContextSubject/Attribute [@AttributeName="RequestedMembershipLevel] [@AttributeFamily="www.oasis-open.org/catalyst2002/attributes"] </AttributeSelector> <AttributeSelector xmlns:x="www.oasis-open.org/xacml"> /x:RequestContext/x:ContextSubject/Attribute [@AttributeName="MembershipLevel] [@AttributeFamily="www.oasis-open.org/catalyst2002/attributes"] </AttributeSelector> </greater> </Conditions> </Rule> Simon Godik
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC