[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Request and Response Context Schemas - Take 2
Hi, Anne I am not clear on your sentence "If we ever expect to have multiple resources, we need to know which actions go with which resource, and this makes that association." Does this mean that PEP can ask PDP with more than two or more pairs of resource and action (e.g. read a.xml and update b.xml) per one access request? As far as I understand, each <Principal> consists of optional <PrincipalID> and any number of <Attribute> that consists of optional <Holder> and one <AttributeValue> that can contain anything in it. Is that correct? I am wondering whether <PrincipalID> differs from <Holder> or not. Since <ContextPrincipals> allows multiple <Principal>s, I thought that each <Principal> has different <PrincipalID> specified by <NameIdentifier> that is equal to <Holder> (that also consists of <NameIdentifier>) of the <Attribute>. I would like to see XACML Context example based on your schema. Best Michiharu IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 Anne Anderson <Anne.Anderson To: XACML TC <xacml@lists.oasis-open.org> @Sun.com> cc: Subject: [xacml] Request and Response Context Schemas - Take 2 2002/06/05 01:46 Please respond to Anne.Anderson I have modified Simon's proposed schemas according to my proposed ContextPrincipals definition. I have also made the following further changes based on comments from my group here and from the concalls. This has NOT been run through a validator. - SimplePrincipal is now just Principal. - ContextResource has been expanded to ContextResources, comparable to the expansion of Principal/ContextPrincipal to ContextPrincipals. I think Michiharu suggested that we may want to allow for multiple resources, and I think it is also a good idea. - I added a saml:IDType attribute to the RequestContext and the ResponseContext. This is so that a response decision can be matched against a specific request. - ContextActions is now an element under a Resource. If we ever expect to have multiple resources, we need to know which actions go with which resource, and this makes that association. - AttributeFamily is eliminated, and AttributeName is type="xs:anyURI". - Issuer, IssueInstant attributes are made optional. - AbstractPrincipal is eliminated. In its place, a PrincipalID element is defined to hold the ways of identifying a given principal, either in a Principal or in an Attribute. - HolderType is eliminated. It is now PrincipalID. Polar, I don't think we are ready to define ComplexPrincipalType. I left a place-holder for it, but I think it needs a lot more discussion. The sequence of role-identified Principals is an attempt to deal with what we know now. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 <!-- Title: Proposed Request and Response Context Schemas --> <!-- Version: 1.1, 02/06/04 (yy/mm/dd) --> <!-- Author: Anne Anderson --> <!-- Source: /home/aa74233/docs/XACML/SCCS/s.ReqRespContextSchema.txt --> <?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace=" http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds=" http://www.w3.org/2000/09/xmldsig#" xmlns:xacml=" http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd" elementFormDefault="qualified" attributeFormDefault="unqualified"> <!-- --> <xs:element name="RequestContext" type ="xacml:RequestContextType"/> <xs:complexType name="RequestContextType"> <xs:sequence> <xs:element ref="xacml:ContextPrincipals"/> <xs:element ref="xacml:ContextResources"/> <xs:element ref="xacml:ContextOther"/> </xs:sequence> <!-- IDType must be unique identifier --> <xs:attribute name="RequestID" type="saml:IDType" use="required"/> </xs:complexType> <!-- --> <xs:element name="ResponseContext" type ="xacml:ResponseContextType"/> <xs:complexType name="ResponseContextType"> <xs:choice> <xs:element ref="xacml:Permit"/> <xs:element ref="xacml:Deny"/> <xs:element ref="xacml:Indeterminate"/> </xs:choice> <!-- RequestID must be copied from the request context for which this is the response. --> <xs:attribute name="RequestID" type="saml:IDType" use="required"/> </xs:complexType> <!-- --> <xs:element name="ContextPrincipals" type ="xacml:ContextPrincipalsType"/> <xs:complexType name="ContextPrincipalsType"> <xs:choice> <!--xs:element ref="xacml:ComplexPrincipal" minOcurs="1" maxOccurs="1"/--> <xs:element ref="xacml:Principal" minOccurs="1" maxOccurs ="unbounded"/> </xs:choice> </xs:complexType> <!-- --> <xs:element name="Principal" type="xacml:PrincipalType"/> <xs:complexType name="PrincipalType"> <xs:sequence> <xs:element ref="xacml:PrincipalID" minOccurs="0" maxOccurs="1"/> <xs:element ref="xacml:Attribute" minOccurs ="0" maxOccurs="unbounded"/> </xs:sequence> <!-- PrincipalType examples: j2se:CodeSource xacml:RequestingUser --> <xs:attribute name="PrincipalType" type="xs:anyURI" use ="required"/> </xs:complexType> <!-- --> <!--xs:element name="ComplexPrincipal" type ="xacml:ComplexPrincipalType"/--> <!--xs:complexType name="ComplexPrincipalType"--> <!-- Not yet defined: a relational tree structure of Principal --> <!--/xs:complexType--> <!-- --> <xs:element name="PrincipalID" type="xacml:PrincipalIDType"/> </xs:complexType name="PrincipalIDType"> <xs:choice> <xs:element ref="xacml:NameIdentifier"/> <!-- did we agree on the 'ds:key' here? --> <!--xs:element ref="ds:KeyInfo"/--> </xs:choice> </xs:complexType> <!-- --> <xs:element name="NameIdentifier" type ="xacml:NameIdentifierType"/> <xs:complexType name="NameIdentifierType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="Format" type ="xs:anyURI" use="required"/> <xs:attribute name ="NameQualifier" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <!-- --> <xs:element name="AnyURI" type="xs:anyURI"/> <!-- --> <xs:element name="AttributeDesignator" type ="xacml:AttributeDesignatorType"/> <xs:complexType name="AttributeDesignatorType"> <xs:sequence> <!-- Holder is the PrincipalID element value when Attribute is used in a Principal --> <xs:element ref="xacml:Holder" minOccurs ="0"/> </xs:sequence> <xs:attribute name="AttributeName" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:anyURI" use ="optional"/> <xs:attribute name="IssueInstant" type="xs:dateTime" use="optional"/> <xs:attribute name="AttributeLocator" type="xs:string" use="optional"/> </xs:complexType> <!-- --> <xs:element name="Holder" type="xacml:PrincipalIDType"/> <!-- --> <xs:element name="Attribute" type="xacml:AttributeType"/> <xs:complexType name="AttributeType"> <xs:complexContent> <xs:extension base ="xacml:AttributeDesignatorType"> <xs:sequence> <xs:element ref ="xacml:AttributeValue"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="AttributeValue" type ="xacml:AttributeValueType"/> <xs:complexType name="AttributeValueType"> <xs:sequence> <xs:any maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="ContextResources" type ="xacml:ContextResourcesType"/> <xs:complexType name="ContextResourcesType"> <xs:choice> <!--xs:element ref="xacml:ComplexResource" minOcurs="1" maxOccurs="1"/--> <xs:element ref="xacml:Resource" minOccurs="1" maxOccurs ="unbounded"/> </xs:choice> </xs:complexType> <!-- --> <xs:element name="Resource" type="xacml:ResourceType"/> <xs:complexType name="ResourceType"> <xs:sequence> <xs:element ref="xacml:ResourceSpecifier" maxOccurs="1"/> <xs:element ref="xacml:Attribute" minOccurs ="0" maxOccurs="unbounded"/> <xs:element ref="xacml:Action" minOccurs="0" maxOccurs ="unbounded"/> <xs: </xs:sequence> </xs:complexType> <!-- --> <!--xs:element name="ComplexResource" type ="xacml:ComplexResourceType"/--> <!--xs:complexType name="ComplexResourceType"--> <!-- Not yet defined: a relational tree structure of Resource --> <!--/xs:complexType--> <!-- --> <xs:element name="ResourceSpecifier" type ="xacml:ResourceSpecifierType"/> <xs:complexType name="ResourceSpecifierType"> <xs:sequence> <xs:element ref="xacml:ResourceContent" minOccurs="0"/> </xs:sequence> <xs:attribute name="ResourceURI" type="xs:anyURI" use ="optional"/> </xs:complexType> <!-- --> <xs:element name="ResourceContent" type ="xacml:ResourceContentType"/> <xs:complexType name="ResourceContentType"> <xs:sequence> <xs:any maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="Action" type="xs:string"/> <!-- --> <xs:element name="ContextOther" type="xacml:ContextOtherType"/> <xs:complexType name="ContextOtherType"> <xs:sequence> <xs:element ref="xacml:Attribute" minOccurs ="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:complexType name="DecisionType"> <xs:attribute name="ResourceName" type="xs:anyURI"/> <xs:attribute name="Action" type="xs:anyURI"/> </xs:complexType> <!-- --> <xs:element name="Permit" type="xacml:EffectDecisionType"/> <xs:element name="Deny" type="xacml:EffectDecisionType"/> <xs:complexType name="EffectDecisionType"> <xs:complexContent> <xs:extension base="xacml:DecisionType"> <xs:sequence> <xs:element ref ="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="Obligation" type="xacml:ObligationType"/> <xs:complexType name="ObligationType"> <xs:sequence> <xs:any minOccurs="0" maxOccurs ="unbounded"/> </xs:sequence> <xs:attribute name="ObligationName" type="xs:anyURI"/> </xs:complexType> <!-- --> <xs:element name="Indeterminate" type ="xacml:IndeterminateType"/> <xs:complexType name="IndeterminateType"> <xs:complexContent> <xs:extension base="xacml:DecisionType"> <xs:sequence> <xs:element ref ="xacml:Advice" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="Advice" type="xacml:AdviceType"/> <xs:complexType name="AdviceType"> <xs:sequence> <xs:any minOccurs="0" maxOccurs ="unbounded"/> </xs:sequence> <xs:attribute name="AdviceName" type="xs:anyURI"/> </xs:complexType> </xs:schema> ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC