OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Fwd: Updated Schema Issues list

See attached mail message.

Anne Anderson       Anne.Anderson@Sun.COM
Internet Security Research Group, Sun Labs
Sun Microsystems, Inc., Burlington, MA
--- Begin Message ---
Title:   XACML schema issues
Author:  Anne Anderson


34. [Michiharu] XPath Subset

    <AttributeSelector> is used to specify XPath expression in
    the <target> element. I am assuming that
    <AttributeDesignator> will be used for the expression without
    XPath. Four new (non-mandatory) functions are used to compare


    <XPathVersion> element in <Defaults> element is used to
    specify the version of the XPath expression used in the
    policy. Schema definition will be posted by Simon.

    CLOSED: we don't place any restrictions on XPath usage in XACML
    1.0.  We may give some typical XPath uses in the spec as
    informational. We may define a subset for 1.1 or later.

36. [Anne] attribute references and indeterminate results
    Long, verbose, religious, tedious thread starts with:
    Subsidiary thread (pdp status element):

    Some sub-issues and options

    Order of evaluation
    a. In what order MUST arguments be evaluated
       Implementation-dependent unless the function definition
       specifies an order.  orderedOr and orderedAne are the only
       standard functions we have defined that specifies an order.
    b. MUST all arguments be evaluated?
       No, if a result can be returned without evaluating all.  You
       could define a custom function that requires evaluating all
       arguments, but none of our standard functions does this.
    c. MAY all arguments be evaluated, even if not required to reach a
       function result?
       Yes, but can never change the overall result.

    Operational errors (e.g. divide by 0) and missing information
       (AttributeDesignator freturns empty set)
    a. Reporting of errors via the response obtained while evaluating
       a request by PDP:

       Reporting by PDP in the Response is optional.  PDP MAY include
       error information in the Status element of the Response.  PEP
       must not depend on the PDP supplying this information.

    b. Operational errors and missing information are handled as follows
       - Standard OR and ORDERED-OR implementation:

         Evaluate arguments in any order (or in specified order)
         IF (you receive an error or null AttributeDesignator result) {
             Go on to next argument evaluation unless all evaluated
             IF (you get at least one TRUE) {
                  return TRUE
             } ELSE {
                  return error (which may be a set of errors)
         } ELSE IF (you get at least one TRUE) {
              return TRUE
         } ELSE {
              return FALSE

       - Standard AND and ORDERED-AND implementation:

         Evaluate arguments in any order (or in specified order)
         IF (you receive an error) {
             Go on to next argument evaluation unless all evaluated
             IF (you get at least one FALSE) {
                  return FALSE
             } ELSE {
                  return error (which may be a set of errors)
         } ELSE IF (you get at least one FALSE) {
              return FALSE
         } ELSE {
              return TRUE

       - function:present: returns TRUE if argument is
         not empty set.  Returns FALSE if argument is empty set.  If
         evaluating argument results in an error, return error.
       - function:not  returns TRUE if argument is FALSE,
         returns FALSE if argument is TRUE.  If argument results in an
         error, return error.
       - Other standard functions: return "error" if any argument is an
         error or if an operational error in computing the function
       - Custom functions must behave like "Other standard functions"
         unless specific handling of errors is specified.

    c. What is Rule result if Condition evaluates to (exactly same as
       table in v15 of specification):
       - operational Error?
         INDETERMINATE(error=operational error)
       - "necessary information not available"?
         INDETERMINATE (error=missing information)
       - FALSE?
       - TRUE?
         PERMIT or DENY (as specified in rule's Effect)

    d. What is Rule result if Target evaluates to FALSE?

    e. Combining Algorithms must specify how PERMIT, DENY,
       INDETERMINATE, and NOT APPLICABLE are handled.  Standard
       algorithms already do this.

    f. If operational errors are reported, how is the type of
       error reported?
       Reported via Status element in Response

    CLOSED: See decisions above.

37. [Michiharu] Use of XPath with namespaces.

    Namespace URI functions and Global Name functions.  Another
    option: namespace prefix in the XPATH expression, but this
    needs some assumptions on the target document.

    CLOSED: We will explain this in usage examples.

38. [Daniel] Split non-null-set-intersection function
    http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [1)]
    [Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html

    Split non-null-set-intersection into intersection(xs:list, xs:list)
    - returning xs:list and not-empty(xs:list), returning boolean.

    [Michiharu] XPATH 2.0 does not use xs:list.  xs:list is an awkward
    type to use.  Recommend use of xs:list and functions that require
    it not be mandatory.

    XPATH 2.0 returns <sequence>, which may be empty.

    CLOSED: Daniel and Polar presented a collection of functions that operate
    on sequences.  These were accepted.  These functions include
    operations for intersection, etc. on sequences.

44. [Simon] Schema for advice/status in xacml:Response

    CLOSED: Use Response schema in 16a, which replaces xacml:Advice
    with xacml:Status schema.  XSLT that transforms xacml:Response
    into saml:AuthorizationDecisionResponse will translate certain
    xacml:Status values into saml:Advice elements.  Status is allowed
    with any DecisionType value (Permit, Deny, Indeterminate,
    NotApplicable).  Status element will be copied entirely into
    saml:Advice element.

45. [All] Can AttributeDesignator be simpler than XPATH?
    [Anne] http://lists.oasis-open.org/archives/xacml/200207/msg00095.html
    [Simon] http://lists.oasis-open.org/archives/xacml/200207/msg00130.html
    [Michiharu] http://lists.oasis-open.org/archives/xacml/200207/msg00131.html
    [Simon example] http://lists.oasis-open.org/archives/xacml/200207/msg00152.html

    CLOSED: Use Simon's proposal.  This 1) flattens the Context, 2)
    includes AttributeSelector (not mandatory to implement) for when
    you want/need to use XPATH, and 3) includes AttributeDesignator
    (mandatory) for referencing XACML-defined elements of the Request
    context.  Either XPATH or application-specific functions will be
    required for retrieving sub-components of an attribute or of the
    resource content.

46. [Anne] Replace saml:AssertionType with xacml:AssertionType
    Error in mailing: "sequence" should be "choice".

    saml: Assertion currently referenced only in PolicySetType (as
       PolicyAssertion and PolicySetAssertion).  Should also have a
       Policy[Set]Designator in this list.  Note: we have no way in
       XACML syntax to refer to any elements an Assertion header.
       Only a Combining Algorithm could possibly refer to anything in
       an Assertion header.

    1. Extend saml:AssertionType to include element
       ref="xacml:PolicySetStatement" and element
    2. Define our own xacml:AssertionType.
    3. Don't try to deal with assertions in XACML schema at all.
       Remove AssertionDesignator, PolicySetAssertion, and
       PolicyAssertion from xacml:PolicySetType.

    CLOSED: #3.

49. [Michiharu] Which regular expression definition to use?

    1. Use definitions specified in XML Schema part 2: Datatypes,
       Appendix F Regular Expressions.
    2. Basic regular expressions (BRE) as defined in POSIX
       specification 2:
    3. Extended regular expressions (ERE) as defined in POSIX
       specification 2 (these add an "or" metacharacter so you
       can match on one of multiple separate regular expressions)
    4. Use whatever J2SE supports.

    [Michiharu] Since Java 2 SDK 1.4 supports regular expression, I
    think it is sufficient while it is not XML Schema compliant. If
    people prefer regex that is XML Schema-compliant, Xerces (Apache
    XML Parser, free) supports this.

    CLOSED: #1.  Xerces implementation is available in Java and C++.

52. [John Howard] Support OR in Target

    Supporting OR in Target, either explicitly or implicitly,
    would make merging Rule Targets by union to create Policy Target
    easier.  E.g.

       <Rule ID=1>

       <Rule ID=2>
             <Subjects>Category=AccessSubject AND SubjectID=Anne</Subjects>

       <Policy ID=3>
                    <SubjectMatch MatchId="function:X500Name-equals">
                      <AttributeValue DataType="X500Name">
                    <SubjectMatch MatchId="function:string-equal">
                      <AttributeValue DataType="anyURI">
                    <SubjectMatch MatchId="function:string-equal">
                      <AttributeValue DataType="anyURI">
             <Rule ID=1>
             <Rule ID=2>

             <AND> (
                 <OR> (
                 <Subject>Category=AccessSubject AND SubjectID=Anne</Subject>
                 </OR> )
                 <OR> (
                 </OR> )
             </AND> )

    CLOSED: In Target, OR the separate Subject elements, AND the
    SubjectElements within a single Subject just like the
    separate Resource elements.  Then do any AND'ing in the condition
    or in the Rule Target.  Breakout session will verify.

55. [Anne] PDP response when no policies at all apply

       (Use a base policy with PolicyCombiner and Any-Targets if don't
       want this behavior).  Change Response context to have
       NOTAPPLICABLE as a fourth possible DecisionType choice.

56. [Daniel] No-match cases in Rule truth table (Table 1)

    Are these correct?

    CLOSED: See #36.  All correct.

57. [Simon] Should Rule Target be optional?

    Target is now optional in RuleType.  When optional, it is
    equivalent to <anySubject>, <anyResource>, <anyAction>.

    CLOSED: Don't make Target optional unless intended Target of the
    Rule is exactly the Target of the enclosing Policy.

58. [Anne] Order schema definitions alphabetically?

    CLOSED: whatever.

59. [Hal] How to specify semantics of functions.

    Note: XPATH is designed to retrieve selected data.  Our goal is to
    operate on the selected data.

    1. Cut and paste from XPATH 2.0: plus
       a. Distinguish between integer and decimal
       b. Divide by set of Attribute values is an error
       c. [Daniel has a list of other constraints needed]
    2. Omit >2 multiple operands from XACML
    3. Describe algorithm for extending XPATH 2.0 functions to >2
           For operands 1..m {
              Result[m+1]=Function(Result[m], Operand[m+1])
           Return Result[m+1]
    4. Allow >2 operands only for AND, OR, equals-
    5. Use higher-order logic

    CLOSED: Polar and Daniel produced proposal that was approved.
    Simon has updated schema accordingly (16d.xsd).  Full text of
    proposal to be mailed out by Polar; following is just a summary.
    Daniel will still be producing detailed semantics for each
    function.  Simon will be updating schema.

         integer-equals: take 2 arguments of type xs:integer
         *-equals functions: same, taking arguments of type *
         first: returns 1st element out of a sequence
         rest: returns sequence containing all elements from input
            sequence except first one
         length: takes sequence, number of elements in sequenced
              returned as xs:integer 
         member-integer: takes integer-equals, a value of type xs:integer and a
            sequence of values of type xs:integer, and returns an
         empty: takes sequence, returns xs:boolean

    <xs:complexType name="FunctionType">
        <xs:choice minOccurs="0" maxOccurs="unbounded">
            <xs:element ref="xacml:Function"/>
            <xs:element ref="xacml:AttributeValue"/>
            <xs:element ref="xacml:AttributeDesignator"/>
        <xs:attribute name="FunctionId" type="xs:anyURI"
        <!-- legal types for operands and return type are defined in
            the function table -->
    <function FunctionId="member-integer">
        <AtttributeValue DataType="xs:integer>1</AttributeValue>
        <SubjectAttributeDesignator DataType="xs:integer">
    <function FunctionId="integer-add">
        <AtttributeValue DataType="xs:integer>1</AttributeValue>
        <AtttributeValue DataType="xs:integer>1</AttributeValue>

    CLOSED: We agreed on the proposal presented by Daniel and Polar.
    Daniel still has an action item to define the semantics of each
    function, the data types of the arguments, and the data type

60. [Simon] Keep Permit-overrides combining algorithms?

    Note: J2SE PolicyFile has these semantics.

    CLOSED: keep PermitOverrides.

61. [All] Dynamic attributes: how are they referenced and retrieved?

    Define a schema for the "static context"?  This would be used for
    conveying cached attributes in the form of a Request Context
    between cooperating PDPs.

    CLOSED: Perhaps define such a schema for a later version of XACML.
    Dynamic attributes are referenced and retrieved through the
    "notional" XACML Request Context regardless of whether they are
    supplied by the PEP or retrieved from a PIP.

63. [Hal] Simplify AttributeDesignators within Target so not recursive?

    Target should be simple enough for a single LDAP retrieval to get
    the relevant policy, etc.

    CLOSED: no change.
64. Will this TC define a way for PolicyStatement or
    PolicySetStatement to be encapsulated in some sort of Assertion
    for transmission over the network.

    Define way for PolicySetStatement and PolicyStatement to be
    encapsulated in a saml:Assertion.  Current schema supports this
    since PolicySetStatement and PolicyStatement extend

    1. Do not extend saml:StatementAbstractType in
       mandatory-to-implement XACML policy schema.  Define an optional
       extension to saml that extends AssertionType with
       xacml:PolicySetStatement and xacml:PolicyStatement.  Define
       non-mandatory XACML policy schema extension that defines these as
       extensions of saml:StatementAbstractType.

    CLOSED: #1.

Following added July 31 during TC concall and subsequent discussions:

65. [Michiharu] Add Information element to policy schema
    [July 30, 2002 "[xacml] Information element in the policy schema"]

     I have a suggestion about the inclusion of <Information> element in the
     policy. When you extend the core algorithm by using a local algorithm, that
     algorithm may need to refer to some local information (e.g. precedence of
     the rule, specified in the policy) for making decision. But I think there
     is no place to specify such local information in the current policy schema.
     There is a <Description> element but I think it should be used for English
     text. So I would like to add <Information> element below <Rule>,
     <Obligation>, <PolicyStatement>,  and <PolicySetStatement>. I am OK with
     other name if it has the similar meaning. For your information, new schema
     fragments are:

     <xs:element name="Information" type="xacml:InformationType"/>

     <xs:complexType name="InformationType">
                 <xs:any namespace="##any" processContents="lax" minOccurs="0"
           <xs:anyAttribute namespace="##any" processContents="lax"/>

     This element is then added to RuleType, ObligationType,
    PolicySetStatementType, and PolicyStatementType.

    1. Call it "CombiningAlgorithmParameters".
    2. Make semantics "critical", must be understood
    3. Say "implement via non-standard extension if you want it".
    4. Implement as sequence of AttributeType elements (Attribute with
       ID, DataType and optional Issuer plus value)

    CLOSED: implement via non-standard extension if you want it.

66. [Michiharu] Set intersection function arguments

    Current intersection(xs:list, xs:list) and non-empty(xs:list)
    would deal only with white-space separated strings.  If we want
    more complex datatypes for "set" arguments, more specification is

    CLOSED: Daniel and Polar presented a proposal for a collection of
    functions that operate on sequences.  These were accepted.

67. [Daniel] Enforcement of xacml:AttributeValueType xml DataType attribute outside functions

    Should we say anything about how enforcement of the DataType is
    done in AttributeValueType?  Outside of Condition, e.g. in
    Information element, there is no function to enforce the type.

    CLOSED: Without #65 (Information element as sequence of
    AttributeType was only case where Attribute was used without a

68. [Michiharu] XPATH version information via Defaults

    Default element in Rule or PolicyStatement header can specify
    XPATH specification version, etc. rather than having to include
    this information in each element that uses an XPATH expression.

    CLOSED: Default for XACML 1.0 is XPATH 1.0.  This is a default
    facet of AttributeSelector.  If you want to use any other version
    of XPATH, you must specify this facet in each instance of
    AttributeSelector, or you must include a "PolicyDefaults" or
    "PolicySetDefaults" element.  XPath version default is concrete
    instantiation of abstract defaults type.

69. Schema for OR and AND of Target Subjects and Resources

    CLOSED: Simon reviewed this portion of the new schema, and we

70. Multiple policies match LDAP query

    Tim's LDAP profile requires that no more than one policy in the
    database will match a given Request context.

    Do we want to deal with this via required base
    PolicyCombiningAlgorithm?  Otherwise we assume we have one all
    knowing PAP for each PDP.

    Implication: Can we implement the PRP as a dynamic entity that
    "constructs" a base PolicySet on the fly based on the information
    in the Request context.

    DEFER: to post 1.0 along with #71.

71. Does XACML need to specify an LDAP Data model?

    NO: Complex processing; updates hard; matching functions tricky to
    "invert"; not all implementations will want to do it this way.

    YES: PDP can interact with any XACML-LDAP-Profile-compliant PAP to
    retrieve policies.

    DEFER: to post 1.0; identify as a "hot" interoperability topic.

72. [Simon] Does XACML need to specify how to retrieve Attributes using DSML
    Included in Simon's "Attributes and AttributeDesignators".

    Note: in DSML, never have structured values.  They are all
    string, binary, or URI.

    CLOSED: If you want to use DSML, use
    "urn:oasis:names:tc:DSML:2:0:core:attr:<DSML attribute name>" as
    the XACML AttributeId.  Map dsml:value elements to
    xacml:AttributeValue elements if what you get back is
    multi-valued.  Put this into a normative, but non-mandatory "DSML
    Profile for XACML" in our specification.

73. [Simon] What is an AttributeDesignator?

    CLOSED: Anne and Simon wrote up examples and posted them to the

74. [Anne] Attribute identifiers for Context Attributes that were elements

    CLOSED: updated list of identifiers includes all these.

75. [Polar] New combining algorithms

    CLOSED: Add "First Determinate Decision Rule Combining
    Algorithm".  Fixed up "Deny Overrides" description.

--- End Message ---

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC