OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] Request and Response Context Schemas - Take 2


Hi Anne

Why do you want to remove the AttributeFamily?  Our implementation intends to use this value to handle the Federation case as I explained at the F2F.  Yes, one could pass the AttributeFamily by combining it with the AttributeName, but then one has to parse the AttributeName to get the AttributeFamily.  The AttributeFamily as a separate element or attribute is cleaner and more understandable to implementers.

Don

-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
Sent: Tuesday, June 04, 2002 12:46 PM
To: XACML TC
Subject: [xacml] Request and Response Context Schemas - Take 2


I have modified Simon's proposed schemas according to my proposed
ContextPrincipals definition.  I have also made the following
further changes based on comments from my group here and from the
concalls.  This has NOT been run through a validator.

- SimplePrincipal is now just Principal.
- ContextResource has been expanded to ContextResources,
  comparable to the expansion of Principal/ContextPrincipal to
  ContextPrincipals.  I think Michiharu suggested that we may
  want to allow for multiple resources, and I think it is also a
  good idea.
- I added a saml:IDType attribute to the RequestContext and the
  ResponseContext.  This is so that a response decision can be
  matched against a specific request.
- ContextActions is now an element under a Resource.  If we ever
  expect to have multiple resources, we need to know which
  actions go with which resource, and this makes that
  association.
- AttributeFamily is eliminated, and AttributeName is
  type="xs:anyURI".
- Issuer, IssueInstant attributes are made optional.
- AbstractPrincipal is eliminated.  In its place, a PrincipalID
  element is defined to hold the ways of identifying a given
  principal, either in a Principal or in an Attribute.
- HolderType is eliminated.  It is now PrincipalID.

Polar, I don't think we are ready to define ComplexPrincipalType.
I left a place-holder for it, but I think it needs a lot more
discussion.  The sequence of role-identified Principals is an
attempt to deal with what we know now.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

<!-- Title: Proposed Request and Response Context Schemas -->
<!-- Version: 1.1, 02/06/04 (yy/mm/dd) -->
<!-- Author:  Anne Anderson -->
<!-- Source:  /home/aa74233/docs/XACML/SCCS/s.ReqRespContextSchema.txt -->
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd"; xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:xacml="http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd"; elementFormDefault="qualified" attributeFormDefault="unqualified">
	<!-- -->
	<xs:element name="RequestContext" type="xacml:RequestContextType"/>
	<xs:complexType name="RequestContextType">
		<xs:sequence>
			<xs:element ref="xacml:ContextPrincipals"/>
			<xs:element ref="xacml:ContextResources"/>
			<xs:element ref="xacml:ContextOther"/>
		</xs:sequence>
        <!-- IDType must be unique identifier -->
        <xs:attribute name="RequestID" type="saml:IDType" use="required"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="ResponseContext" type="xacml:ResponseContextType"/>
	<xs:complexType name="ResponseContextType">
		<xs:choice>
			<xs:element ref="xacml:Permit"/>
			<xs:element ref="xacml:Deny"/>
			<xs:element ref="xacml:Indeterminate"/>
		</xs:choice>
        <!-- RequestID must be copied from the request context
             for which this is the response. -->
        <xs:attribute name="RequestID" type="saml:IDType" use="required"/>
	</xs:complexType>
    <!-- -->
    <xs:element name="ContextPrincipals" type="xacml:ContextPrincipalsType"/>
    <xs:complexType name="ContextPrincipalsType">
        <xs:choice>
            <!--xs:element ref="xacml:ComplexPrincipal" minOcurs="1" maxOccurs="1"/-->
            <xs:element ref="xacml:Principal" minOccurs="1" maxOccurs="unbounded"/>
        </xs:choice>
    </xs:complexType>
    <!-- -->
	<xs:element name="Principal" type="xacml:PrincipalType"/>
	<xs:complexType name="PrincipalType">
		<xs:sequence>
			<xs:element ref="xacml:PrincipalID" minOccurs="0" maxOccurs="1"/>
			<xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
		</xs:sequence>
        <!-- PrincipalType examples: j2se:CodeSource xacml:RequestingUser -->
        <xs:attribute name="PrincipalType" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- -->
	<!--xs:element name="ComplexPrincipal" type="xacml:ComplexPrincipalType"/-->
    <!--xs:complexType name="ComplexPrincipalType"-->
        <!-- Not yet defined: a relational tree structure of Principal -->
    <!--/xs:complexType-->
    <!-- -->
    <xs:element name="PrincipalID" type="xacml:PrincipalIDType"/>
    </xs:complexType name="PrincipalIDType">
        <xs:choice>
		    <xs:element ref="xacml:NameIdentifier"/>
			<!-- did we agree on the 'ds:key' here? -->
			<!--xs:element ref="ds:KeyInfo"/-->
		</xs:choice>
	</xs:complexType>
	<!-- -->
	<xs:element name="NameIdentifier" type="xacml:NameIdentifierType"/>
	<xs:complexType name="NameIdentifierType">
		<xs:simpleContent>
			<xs:extension base="xs:string">
				<xs:attribute name="Format" type="xs:anyURI" use="required"/>
				<xs:attribute name="NameQualifier" type="xs:string" use="optional"/>
			</xs:extension>
		</xs:simpleContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="AnyURI" type="xs:anyURI"/>
	<!-- -->
	<xs:element name="AttributeDesignator" type="xacml:AttributeDesignatorType"/>
	<xs:complexType name="AttributeDesignatorType">
		<xs:sequence>
            <!-- Holder is the PrincipalID element value when 
                 Attribute is used in a Principal -->
			<xs:element ref="xacml:Holder" minOccurs="0"/>
		</xs:sequence>
		<xs:attribute name="AttributeName" type="xs:anyURI" use="required"/>
		<xs:attribute name="Issuer" type="xs:anyURI" use="optional"/>
		<xs:attribute name="IssueInstant" type="xs:dateTime" use="optional"/>
		<xs:attribute name="AttributeLocator" type="xs:string" use="optional"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="Holder" type="xacml:PrincipalIDType"/>
	<!-- -->
	<xs:element name="Attribute" type="xacml:AttributeType"/>
	<xs:complexType name="AttributeType">
		<xs:complexContent>
			<xs:extension base="xacml:AttributeDesignatorType">
				<xs:sequence>
					<xs:element ref="xacml:AttributeValue"/>
				</xs:sequence>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="AttributeValue" type="xacml:AttributeValueType"/>
	<xs:complexType name="AttributeValueType">
		<xs:sequence>
			<xs:any maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="ContextResources" type="xacml:ContextResourcesType"/>
    <xs:complexType name="ContextResourcesType">
        <xs:choice>
            <!--xs:element ref="xacml:ComplexResource" minOcurs="1" maxOccurs="1"/-->
            <xs:element ref="xacml:Resource" minOccurs="1" maxOccurs="unbounded"/>
        </xs:choice>
    </xs:complexType>
    <!-- -->
    <xs:element name="Resource" type="xacml:ResourceType"/>
	<xs:complexType name="ResourceType">
		<xs:sequence>
			<xs:element ref="xacml:ResourceSpecifier" maxOccurs="1"/>
			<xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="xacml:Action" minOccurs="0" maxOccurs="unbounded"/>
            <xs:
		</xs:sequence>
	</xs:complexType>
	<!-- -->
    <!--xs:element name="ComplexResource" type="xacml:ComplexResourceType"/-->
    <!--xs:complexType name="ComplexResourceType"-->
        <!-- Not yet defined: a relational tree structure of Resource -->
    <!--/xs:complexType-->
	<!-- -->
	<xs:element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/>
	<xs:complexType name="ResourceSpecifierType">
		<xs:sequence>
			<xs:element ref="xacml:ResourceContent" minOccurs="0"/>
		</xs:sequence>
		<xs:attribute name="ResourceURI" type="xs:anyURI" use="optional"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="ResourceContent" type="xacml:ResourceContentType"/>
	<xs:complexType name="ResourceContentType">
		<xs:sequence>
			<xs:any maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:element name="Action" type="xs:string"/>
	<!-- -->
	<xs:element name="ContextOther" type="xacml:ContextOtherType"/>
	<xs:complexType name="ContextOtherType">
		<xs:sequence>
			<xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	<!-- -->
	<xs:complexType name="DecisionType">
		<xs:attribute name="ResourceName" type="xs:anyURI"/>
		<xs:attribute name="Action" type="xs:anyURI"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="Permit" type="xacml:EffectDecisionType"/>
	<xs:element name="Deny" type="xacml:EffectDecisionType"/>
	<xs:complexType name="EffectDecisionType">
		<xs:complexContent>
			<xs:extension base="xacml:DecisionType">
				<xs:sequence>
					<xs:element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/>
				</xs:sequence>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="Obligation" type="xacml:ObligationType"/>
	<xs:complexType name="ObligationType">
		<xs:sequence>
			<xs:any minOccurs="0" maxOccurs="unbounded"/>
		</xs:sequence>
		<xs:attribute name="ObligationName" type="xs:anyURI"/>
	</xs:complexType>
	<!-- -->
	<xs:element name="Indeterminate" type="xacml:IndeterminateType"/>
	<xs:complexType name="IndeterminateType">
		<xs:complexContent>
			<xs:extension base="xacml:DecisionType">
				<xs:sequence>
					<xs:element ref="xacml:Advice" minOccurs="0" maxOccurs="unbounded"/>
				</xs:sequence>
			</xs:extension>
		</xs:complexContent>
	</xs:complexType>
	<!-- -->
	<xs:element name="Advice" type="xacml:AdviceType"/>
	<xs:complexType name="AdviceType">
		<xs:sequence>
			<xs:any minOccurs="0" maxOccurs="unbounded"/>
		</xs:sequence>
		<xs:attribute name="AdviceName" type="xs:anyURI"/>
	</xs:complexType>
</xs:schema>


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC