xacml message

Subject: RE: [xacml] New target schema

From: Daniel Engovatov <dengovatov@crosslogix.com>
To: 'Michiharu Kudoh' <KUDO@jp.ibm.com>, Tim Moses <tim.moses@entrust.com>,'XACML' <xacml@lists.oasis-open.org>
Date: Wed, 17 Jul 2002 10:02:03 -0700

Maybe it is more consistent to introduce a data type: "xpath_expression"?

And also: That should be handled as an extension for the standard, IMO. Any implementation will have such needs (I need SQL expressions, and
enumerations, and so on..)

We should not put too much stuff into the base standard and make it too hard to implement a minimal complying applications. And probably return to discussion on whether we should make "declaration" schema earlier then later - it is obvious many implementations will need various extensions right away.

BTW - what will be a logical way to make the restriction on comparator functions used in context extensible? Can it be restricted to any function with two arguments that returns a boolean (it would be a runtime error, if the datatypes can not be legally (as declared) converted to the needed datatypes..

Daniel

3. I need a "xpath-match" function that compares two xpath expressions. It
is used in XML document access control use case. In the example below, a
node set determined by a location path specified in the 'access' attribute
in the request context has one or more items that is determined by
"//phone" xpath expression (some match equality semantics). If the
attribute specified in the request context is "/a/b/phone", then it matches
to "//phone". Then it is applicable.

<Rule>
<Target>
     ...
    <Resource>
      <AttributeDesignator Match="xpath-match" DataType="xs:string"
Designator="/Request/Resources/ResourceAttribute/AttributeMetaData[@Name
='access']/../AttributeValue"/>
      <Attribute>
        <Value DataType="xs:string">//phone</Value>
      </Attribute>
    </Resource>
      ...
</Target>
</Rule>

5. Again, we need to define a support level for each function in terms of
quick implementation.

Michiharu

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428


                      Tim Moses
                      <tim.moses@entrus        To:       "'XACML'" <xacml@lists.oasis-open.org>
                      t.com>                   cc:
                                               Subject: [xacml] New target schema
                      2002/07/16 04:11
                      Please respond to
                      Tim Moses



Colleagues - What do people think of this? ...

1. Treats "action" in a way that is identical to the other components of
target.
2. Doesn't have a reserved value to indicate 'all'. The value of Attribute
and the MatchFunction have to be chosen to indicate 'all', if that is what
is desired.

3. All the equality operators are included. Perhaps some should not be
allowed for the purposes of target.
4. Function will extend the MatchFunction list.
5. Do the function enumeration values have to be URIs. A string like
"numeric-equal" would be more succinct. If we feel that function
definitions would need a namespace qualifier, then we might as well leave
the function name as a URI.

6. String-match uses the regular expression syntax.

Let me have your thoughts.

All the best. Tim.

<xs:complexType name="TargetType">
        <xs:sequence>
                <xs:element name="Subjects" type="xacml:MatchType"
maxOccurs="unbounded"/>
                <xs:element name="Resources" type="xacml:MatchType"
maxOccurs="unbounded"/>
                <xs:element name="Actions" type="xacml:MatchType" maxOccurs
="unbounded"/>
        </xs:sequence>
</xs:complexType>

<xs:complexType name="MatchType">
        <xs:sequence>
                <xs:element ref="xacml:AttributeDesignator"/>
                <xs:element ref="xacml:Attribute"/>
        </xs:sequence>
        <xs:attribute name="Match" type="xacml:MatchFunctionType"/>
</xs:complexType>

<xs:simpleType name="MatchFunctionType">
        <xs:restriction base="xs:anyURI">
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:numeric-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:boolean-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:string-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:date-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:time-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:datetime-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:yearMonthDuration-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:dayTimeDuration-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:gregorian-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:hex-binary-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:base64-binary-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:anyURI-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:QName-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:NOTATION-equal"/>
                <xs:enumeration value
="urn:oasis:names:tc:XACML:0.15g:operator:string-match"/>
        </xs:restriction>
</xs:simpleType>

-----------------------------------------
Tim Moses
Tel: 613.270.3183

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>