OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] XACML Request as "notional" XML document

Tim had asked me to ask Eve Maler what she thought about our idea
of the XACML Request being a "notional" document, rather than a
physical document.  I see two "issues" from her response:

1. Should we rename XACML "Request" to "Query"?
2. Do we want to incur the cost of "data bindings" and "COM-based
   processing" to handle references to such a "notional" XML

------- start of forwarded message -------
From: "Eve L. Maler" <eve.maler@sun.com>
To: Anne.Anderson@sun.com
Subject: Re: "notional" XML document
Date: Thu, 18 Jul 2002 15:51:56 -0400

Hi Anne,

A question before I try to answer yours: If the XACML Request element is 
sort of a SAML AuthorizationDecisionQuery, should it really be called a 
Query instead?  SAML's query and request levels really do two different 
things; the request is the wrapper that has some housekeeping stuff and 
the query contains the "guts".

Regarding the notion of notional documents :-): I'm having a little 
trouble picturing what's going on.  I could see a policy being accessed 
in a virtual manner, but why would a request need to be accessed this 
way?  But assuming that it does, there's often no problem in treating 
XML structures virtually rather than physically.  Data bindings and 
DOM-based processing do this; they certainly don't physically walk an 
angle-bracket-laden flat file.  The sort of problem you might have with 
this is dereferencing unique IDs for policies/requests/whatever; you 
just need to be sure that what you're accessing is persistent enough for 
your purposes.

I still may be missing your point, though.  If you think F2F 
conversation might help, perhaps we could get together tomorrow.  (I'm 
working from home today.)  What do you think?


Anne Anderson wrote:
> XACML is defining an XML document, called the xacml:Request, that
> will describe the access request being evaluated.  This document
> is similiar to a SAML AuthorizationDecisionQuery, but is designed
> for XACML requirements and extensibility (it is easy to map a
> SAML AuthorizationDecisionQuery into the XACML document, and
> being able to do so was a strong requirement for us).
> We are treating this Request as a "notional" document, rather
> than necessarily as a physical XML document.  Tim Moses suggested
> I ask you about your opinion on this.
> By "notional" document, I mean that an XACML policy can "refer"
> to the information in the Request document that is not physically
> in any single XML document.  For example, my XACML policy can
> refer to a "Role" attribute in the "Subjects" section of the
> Request, and have that reference trigger a behind the scenes
> query to an Attribute Authority to obtain the value of such an
> attribute for the subject.  The reference results in the value
> for the attribute, if it was found by the AA, just as if the
> value had been in a physical document somewhere.  If no value
> could be obtained, the reference results in a "null" value or
> error, just as if the value were not in a physical document.
> Any comments?
> Anne

Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 883 5917
XML Web Services / Industry Initiatives      eve.maler @ sun.com

------- end of forwarded message -------

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC