[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Request and Response Context Schemas - Take 2
Hi, Anne
I am not clear on your sentence "If we ever expect to have multiple
resources, we need to know which actions go with which resource, and this
makes that association." Does this mean that PEP can ask PDP with more than
two or more pairs of resource and action (e.g. read a.xml and update b.xml)
per one access request?
As far as I understand, each <Principal> consists of optional <PrincipalID>
and any number of <Attribute> that consists of optional <Holder> and one
<AttributeValue> that can contain anything in it. Is that correct? I am
wondering whether <PrincipalID> differs from <Holder> or not. Since
<ContextPrincipals> allows multiple <Principal>s, I thought that each
<Principal> has different <PrincipalID> specified by <NameIdentifier> that
is equal to <Holder> (that also consists of <NameIdentifier>) of the
<Attribute>. I would like to see XACML Context example based on your
schema.
Best
Michiharu
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Anne Anderson
<Anne.Anderson To: XACML TC <xacml@lists.oasis-open.org>
@Sun.com> cc:
Subject: [xacml] Request and Response Context Schemas - Take 2
2002/06/05
01:46
Please respond
to
Anne.Anderson
I have modified Simon's proposed schemas according to my proposed
ContextPrincipals definition. I have also made the following
further changes based on comments from my group here and from the
concalls. This has NOT been run through a validator.
- SimplePrincipal is now just Principal.
- ContextResource has been expanded to ContextResources,
comparable to the expansion of Principal/ContextPrincipal to
ContextPrincipals. I think Michiharu suggested that we may
want to allow for multiple resources, and I think it is also a
good idea.
- I added a saml:IDType attribute to the RequestContext and the
ResponseContext. This is so that a response decision can be
matched against a specific request.
- ContextActions is now an element under a Resource. If we ever
expect to have multiple resources, we need to know which
actions go with which resource, and this makes that
association.
- AttributeFamily is eliminated, and AttributeName is
type="xs:anyURI".
- Issuer, IssueInstant attributes are made optional.
- AbstractPrincipal is eliminated. In its place, a PrincipalID
element is defined to hold the ways of identifying a given
principal, either in a Principal or in an Attribute.
- HolderType is eliminated. It is now PrincipalID.
Polar, I don't think we are ready to define ComplexPrincipalType.
I left a place-holder for it, but I think it needs a lot more
discussion. The sequence of role-identified Principals is an
attempt to deal with what we know now.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
<!-- Title: Proposed Request and Response Context Schemas -->
<!-- Version: 1.1, 02/06/04 (yy/mm/dd) -->
<!-- Author: Anne Anderson -->
<!-- Source: /home/aa74233/docs/XACML/SCCS/s.ReqRespContextSchema.txt -->
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="
http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"; xmlns:xacml="
http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd";
elementFormDefault="qualified" attributeFormDefault="unqualified">
<!-- -->
<xs:element name="RequestContext" type
="xacml:RequestContextType"/>
<xs:complexType name="RequestContextType">
<xs:sequence>
<xs:element ref="xacml:ContextPrincipals"/>
<xs:element ref="xacml:ContextResources"/>
<xs:element ref="xacml:ContextOther"/>
</xs:sequence>
<!-- IDType must be unique identifier -->
<xs:attribute name="RequestID" type="saml:IDType" use="required"/>
</xs:complexType>
<!-- -->
<xs:element name="ResponseContext" type
="xacml:ResponseContextType"/>
<xs:complexType name="ResponseContextType">
<xs:choice>
<xs:element ref="xacml:Permit"/>
<xs:element ref="xacml:Deny"/>
<xs:element ref="xacml:Indeterminate"/>
</xs:choice>
<!-- RequestID must be copied from the request context
for which this is the response. -->
<xs:attribute name="RequestID" type="saml:IDType" use="required"/>
</xs:complexType>
<!-- -->
<xs:element name="ContextPrincipals" type
="xacml:ContextPrincipalsType"/>
<xs:complexType name="ContextPrincipalsType">
<xs:choice>
<!--xs:element ref="xacml:ComplexPrincipal" minOcurs="1"
maxOccurs="1"/-->
<xs:element ref="xacml:Principal" minOccurs="1" maxOccurs
="unbounded"/>
</xs:choice>
</xs:complexType>
<!-- -->
<xs:element name="Principal" type="xacml:PrincipalType"/>
<xs:complexType name="PrincipalType">
<xs:sequence>
<xs:element ref="xacml:PrincipalID"
minOccurs="0" maxOccurs="1"/>
<xs:element ref="xacml:Attribute" minOccurs
="0" maxOccurs="unbounded"/>
</xs:sequence>
<!-- PrincipalType examples: j2se:CodeSource xacml:RequestingUser
-->
<xs:attribute name="PrincipalType" type="xs:anyURI" use
="required"/>
</xs:complexType>
<!-- -->
<!--xs:element name="ComplexPrincipal" type
="xacml:ComplexPrincipalType"/-->
<!--xs:complexType name="ComplexPrincipalType"-->
<!-- Not yet defined: a relational tree structure of Principal -->
<!--/xs:complexType-->
<!-- -->
<xs:element name="PrincipalID" type="xacml:PrincipalIDType"/>
</xs:complexType name="PrincipalIDType">
<xs:choice>
<xs:element ref="xacml:NameIdentifier"/>
<!-- did we agree on the 'ds:key' here? -->
<!--xs:element ref="ds:KeyInfo"/-->
</xs:choice>
</xs:complexType>
<!-- -->
<xs:element name="NameIdentifier" type
="xacml:NameIdentifierType"/>
<xs:complexType name="NameIdentifierType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="Format" type
="xs:anyURI" use="required"/>
<xs:attribute name
="NameQualifier" type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!-- -->
<xs:element name="AnyURI" type="xs:anyURI"/>
<!-- -->
<xs:element name="AttributeDesignator" type
="xacml:AttributeDesignatorType"/>
<xs:complexType name="AttributeDesignatorType">
<xs:sequence>
<!-- Holder is the PrincipalID element value when
Attribute is used in a Principal -->
<xs:element ref="xacml:Holder" minOccurs
="0"/>
</xs:sequence>
<xs:attribute name="AttributeName" type="xs:anyURI"
use="required"/>
<xs:attribute name="Issuer" type="xs:anyURI" use
="optional"/>
<xs:attribute name="IssueInstant" type="xs:dateTime"
use="optional"/>
<xs:attribute name="AttributeLocator" type="xs:string"
use="optional"/>
</xs:complexType>
<!-- -->
<xs:element name="Holder" type="xacml:PrincipalIDType"/>
<!-- -->
<xs:element name="Attribute" type="xacml:AttributeType"/>
<xs:complexType name="AttributeType">
<xs:complexContent>
<xs:extension base
="xacml:AttributeDesignatorType">
<xs:sequence>
<xs:element ref
="xacml:AttributeValue"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- -->
<xs:element name="AttributeValue" type
="xacml:AttributeValueType"/>
<xs:complexType name="AttributeValueType">
<xs:sequence>
<xs:any maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- -->
<xs:element name="ContextResources" type
="xacml:ContextResourcesType"/>
<xs:complexType name="ContextResourcesType">
<xs:choice>
<!--xs:element ref="xacml:ComplexResource" minOcurs="1"
maxOccurs="1"/-->
<xs:element ref="xacml:Resource" minOccurs="1" maxOccurs
="unbounded"/>
</xs:choice>
</xs:complexType>
<!-- -->
<xs:element name="Resource" type="xacml:ResourceType"/>
<xs:complexType name="ResourceType">
<xs:sequence>
<xs:element ref="xacml:ResourceSpecifier"
maxOccurs="1"/>
<xs:element ref="xacml:Attribute" minOccurs
="0" maxOccurs="unbounded"/>
<xs:element ref="xacml:Action" minOccurs="0" maxOccurs
="unbounded"/>
<xs:
</xs:sequence>
</xs:complexType>
<!-- -->
<!--xs:element name="ComplexResource" type
="xacml:ComplexResourceType"/-->
<!--xs:complexType name="ComplexResourceType"-->
<!-- Not yet defined: a relational tree structure of Resource -->
<!--/xs:complexType-->
<!-- -->
<xs:element name="ResourceSpecifier" type
="xacml:ResourceSpecifierType"/>
<xs:complexType name="ResourceSpecifierType">
<xs:sequence>
<xs:element ref="xacml:ResourceContent"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="ResourceURI" type="xs:anyURI" use
="optional"/>
</xs:complexType>
<!-- -->
<xs:element name="ResourceContent" type
="xacml:ResourceContentType"/>
<xs:complexType name="ResourceContentType">
<xs:sequence>
<xs:any maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- -->
<xs:element name="Action" type="xs:string"/>
<!-- -->
<xs:element name="ContextOther" type="xacml:ContextOtherType"/>
<xs:complexType name="ContextOtherType">
<xs:sequence>
<xs:element ref="xacml:Attribute" minOccurs
="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- -->
<xs:complexType name="DecisionType">
<xs:attribute name="ResourceName" type="xs:anyURI"/>
<xs:attribute name="Action" type="xs:anyURI"/>
</xs:complexType>
<!-- -->
<xs:element name="Permit" type="xacml:EffectDecisionType"/>
<xs:element name="Deny" type="xacml:EffectDecisionType"/>
<xs:complexType name="EffectDecisionType">
<xs:complexContent>
<xs:extension base="xacml:DecisionType">
<xs:sequence>
<xs:element ref
="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- -->
<xs:element name="Obligation" type="xacml:ObligationType"/>
<xs:complexType name="ObligationType">
<xs:sequence>
<xs:any minOccurs="0" maxOccurs
="unbounded"/>
</xs:sequence>
<xs:attribute name="ObligationName" type="xs:anyURI"/>
</xs:complexType>
<!-- -->
<xs:element name="Indeterminate" type
="xacml:IndeterminateType"/>
<xs:complexType name="IndeterminateType">
<xs:complexContent>
<xs:extension base="xacml:DecisionType">
<xs:sequence>
<xs:element ref
="xacml:Advice" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- -->
<xs:element name="Advice" type="xacml:AdviceType"/>
<xs:complexType name="AdviceType">
<xs:sequence>
<xs:any minOccurs="0" maxOccurs
="unbounded"/>
</xs:sequence>
<xs:attribute name="AdviceName" type="xs:anyURI"/>
</xs:complexType>
</xs:schema>
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC