OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] How do I require subject not to be a member of a give ngroup?

One error: for a sequence of strings, function string-length will return its
length - an integer.

Also - there is no need for a separate sequence-string data type.  

I think this is a bit of confusion here:  As <AtributeDesignator> specifying
xs:string type, may
return sequence of strings, as well as one string - our functions ALWAYS
should be ready to receive
a sequence - it is not a separate data type.  When there is only one value
(in most cases) needed - it is
a sequnce of size 1.

In my proposal it may be
<attributevalue type="xs:string">

To specify Jones and Smith as convicted felons to use in (integer-equal 0
(string-length (intersection (attributedesignator name="name") ["Jones",
"Smith"]).  - to specify if any name matches anything in the list
It will be 
<attributevalue type="xs:string">

To specify only one, to use in string-equal function (equal name

If there is only one convicted felon, it will have one value.  This is to
make it compatible with
Designators and Selectors - you do not want to specify two differnet rules
for the case when they
return several values, or one value - I do not think it is possible.

BTW - for those concerned that it is not user friendly to have all those
X-length functions - nothing prohibits the management system to ma XACML
language into something more user friendly - for example use length()
function, that
would map into one of type-length ones in the schema - as long as it is
always done

-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
Sent: Wednesday, August 21, 2002 12:27 PM
Subject: [xacml] How do I require subject not to be a member of a given

Daniel: This may be a use case for your issue with specifying a
sequence in an AttributeValue.  Could you let me know if this is
the correct way to do it?

Rule in English: Any subject who is not a member of the
"convicted-felons" group may perform any action on any resource.

Rule in  XACML:

            Any subject who is not a member of the
            convicted-felons group may perform any action on any
        <Condition FunctionId="function:integer-equal">
            <Apply FunctionId="function:integer-length">
                <Apply FunctionId="function:string-intersection">

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC