[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Request and Response Context Schemas - Take 2
Hi Anne Why do you want to remove the AttributeFamily? Our implementation intends to use this value to handle the Federation case as I explained at the F2F. Yes, one could pass the AttributeFamily by combining it with the AttributeName, but then one has to parse the AttributeName to get the AttributeFamily. The AttributeFamily as a separate element or attribute is cleaner and more understandable to implementers. Don -----Original Message----- From: Anne Anderson [mailto:Anne.Anderson@Sun.com] Sent: Tuesday, June 04, 2002 12:46 PM To: XACML TC Subject: [xacml] Request and Response Context Schemas - Take 2 I have modified Simon's proposed schemas according to my proposed ContextPrincipals definition. I have also made the following further changes based on comments from my group here and from the concalls. This has NOT been run through a validator. - SimplePrincipal is now just Principal. - ContextResource has been expanded to ContextResources, comparable to the expansion of Principal/ContextPrincipal to ContextPrincipals. I think Michiharu suggested that we may want to allow for multiple resources, and I think it is also a good idea. - I added a saml:IDType attribute to the RequestContext and the ResponseContext. This is so that a response decision can be matched against a specific request. - ContextActions is now an element under a Resource. If we ever expect to have multiple resources, we need to know which actions go with which resource, and this makes that association. - AttributeFamily is eliminated, and AttributeName is type="xs:anyURI". - Issuer, IssueInstant attributes are made optional. - AbstractPrincipal is eliminated. In its place, a PrincipalID element is defined to hold the ways of identifying a given principal, either in a Principal or in an Attribute. - HolderType is eliminated. It is now PrincipalID. Polar, I don't think we are ready to define ComplexPrincipalType. I left a place-holder for it, but I think it needs a lot more discussion. The sequence of role-identified Principals is an attempt to deal with what we know now. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 <!-- Title: Proposed Request and Response Context Schemas --> <!-- Version: 1.1, 02/06/04 (yy/mm/dd) --> <!-- Author: Anne Anderson --> <!-- Source: /home/aa74233/docs/XACML/SCCS/s.ReqRespContextSchema.txt --> <?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xacml="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd" elementFormDefault="qualified" attributeFormDefault="unqualified"> <!-- --> <xs:element name="RequestContext" type="xacml:RequestContextType"/> <xs:complexType name="RequestContextType"> <xs:sequence> <xs:element ref="xacml:ContextPrincipals"/> <xs:element ref="xacml:ContextResources"/> <xs:element ref="xacml:ContextOther"/> </xs:sequence> <!-- IDType must be unique identifier --> <xs:attribute name="RequestID" type="saml:IDType" use="required"/> </xs:complexType> <!-- --> <xs:element name="ResponseContext" type="xacml:ResponseContextType"/> <xs:complexType name="ResponseContextType"> <xs:choice> <xs:element ref="xacml:Permit"/> <xs:element ref="xacml:Deny"/> <xs:element ref="xacml:Indeterminate"/> </xs:choice> <!-- RequestID must be copied from the request context for which this is the response. --> <xs:attribute name="RequestID" type="saml:IDType" use="required"/> </xs:complexType> <!-- --> <xs:element name="ContextPrincipals" type="xacml:ContextPrincipalsType"/> <xs:complexType name="ContextPrincipalsType"> <xs:choice> <!--xs:element ref="xacml:ComplexPrincipal" minOcurs="1" maxOccurs="1"/--> <xs:element ref="xacml:Principal" minOccurs="1" maxOccurs="unbounded"/> </xs:choice> </xs:complexType> <!-- --> <xs:element name="Principal" type="xacml:PrincipalType"/> <xs:complexType name="PrincipalType"> <xs:sequence> <xs:element ref="xacml:PrincipalID" minOccurs="0" maxOccurs="1"/> <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <!-- PrincipalType examples: j2se:CodeSource xacml:RequestingUser --> <xs:attribute name="PrincipalType" type="xs:anyURI" use="required"/> </xs:complexType> <!-- --> <!--xs:element name="ComplexPrincipal" type="xacml:ComplexPrincipalType"/--> <!--xs:complexType name="ComplexPrincipalType"--> <!-- Not yet defined: a relational tree structure of Principal --> <!--/xs:complexType--> <!-- --> <xs:element name="PrincipalID" type="xacml:PrincipalIDType"/> </xs:complexType name="PrincipalIDType"> <xs:choice> <xs:element ref="xacml:NameIdentifier"/> <!-- did we agree on the 'ds:key' here? --> <!--xs:element ref="ds:KeyInfo"/--> </xs:choice> </xs:complexType> <!-- --> <xs:element name="NameIdentifier" type="xacml:NameIdentifierType"/> <xs:complexType name="NameIdentifierType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="Format" type="xs:anyURI" use="required"/> <xs:attribute name="NameQualifier" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <!-- --> <xs:element name="AnyURI" type="xs:anyURI"/> <!-- --> <xs:element name="AttributeDesignator" type="xacml:AttributeDesignatorType"/> <xs:complexType name="AttributeDesignatorType"> <xs:sequence> <!-- Holder is the PrincipalID element value when Attribute is used in a Principal --> <xs:element ref="xacml:Holder" minOccurs="0"/> </xs:sequence> <xs:attribute name="AttributeName" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:anyURI" use="optional"/> <xs:attribute name="IssueInstant" type="xs:dateTime" use="optional"/> <xs:attribute name="AttributeLocator" type="xs:string" use="optional"/> </xs:complexType> <!-- --> <xs:element name="Holder" type="xacml:PrincipalIDType"/> <!-- --> <xs:element name="Attribute" type="xacml:AttributeType"/> <xs:complexType name="AttributeType"> <xs:complexContent> <xs:extension base="xacml:AttributeDesignatorType"> <xs:sequence> <xs:element ref="xacml:AttributeValue"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="AttributeValue" type="xacml:AttributeValueType"/> <xs:complexType name="AttributeValueType"> <xs:sequence> <xs:any maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="ContextResources" type="xacml:ContextResourcesType"/> <xs:complexType name="ContextResourcesType"> <xs:choice> <!--xs:element ref="xacml:ComplexResource" minOcurs="1" maxOccurs="1"/--> <xs:element ref="xacml:Resource" minOccurs="1" maxOccurs="unbounded"/> </xs:choice> </xs:complexType> <!-- --> <xs:element name="Resource" type="xacml:ResourceType"/> <xs:complexType name="ResourceType"> <xs:sequence> <xs:element ref="xacml:ResourceSpecifier" maxOccurs="1"/> <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="xacml:Action" minOccurs="0" maxOccurs="unbounded"/> <xs: </xs:sequence> </xs:complexType> <!-- --> <!--xs:element name="ComplexResource" type="xacml:ComplexResourceType"/--> <!--xs:complexType name="ComplexResourceType"--> <!-- Not yet defined: a relational tree structure of Resource --> <!--/xs:complexType--> <!-- --> <xs:element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/> <xs:complexType name="ResourceSpecifierType"> <xs:sequence> <xs:element ref="xacml:ResourceContent" minOccurs="0"/> </xs:sequence> <xs:attribute name="ResourceURI" type="xs:anyURI" use="optional"/> </xs:complexType> <!-- --> <xs:element name="ResourceContent" type="xacml:ResourceContentType"/> <xs:complexType name="ResourceContentType"> <xs:sequence> <xs:any maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="Action" type="xs:string"/> <!-- --> <xs:element name="ContextOther" type="xacml:ContextOtherType"/> <xs:complexType name="ContextOtherType"> <xs:sequence> <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:complexType name="DecisionType"> <xs:attribute name="ResourceName" type="xs:anyURI"/> <xs:attribute name="Action" type="xs:anyURI"/> </xs:complexType> <!-- --> <xs:element name="Permit" type="xacml:EffectDecisionType"/> <xs:element name="Deny" type="xacml:EffectDecisionType"/> <xs:complexType name="EffectDecisionType"> <xs:complexContent> <xs:extension base="xacml:DecisionType"> <xs:sequence> <xs:element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="Obligation" type="xacml:ObligationType"/> <xs:complexType name="ObligationType"> <xs:sequence> <xs:any minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ObligationName" type="xs:anyURI"/> </xs:complexType> <!-- --> <xs:element name="Indeterminate" type="xacml:IndeterminateType"/> <xs:complexType name="IndeterminateType"> <xs:complexContent> <xs:extension base="xacml:DecisionType"> <xs:sequence> <xs:element ref="xacml:Advice" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="Advice" type="xacml:AdviceType"/> <xs:complexType name="AdviceType"> <xs:sequence> <xs:any minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="AdviceName" type="xs:anyURI"/> </xs:complexType> </xs:schema> ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC