[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] extending xacml semantics
Currently there is no semantics associated with the
'subject' and 'resource' definition in the 'target' of a rule.
The only thing we do is match attribute designator
with attribute value.
Although there was a decision made not to have such
semantics, I find it limiting.
I propose to allow new elements in the rule target
that convey semantics of an attribute.
It is accomplished by wrapping subject-match with
<subject-class> element, like this:
<rule>
<target>
<subjects>
<subject>
<subject-class
class-id="urn:oasis:names:tc:xacml:1.0:subject:class:group"> <-- this line
is new
<subject-match
match-id="function:string-equal">
<subject-attribute-designator attribute-id="security-role"
category="urn:oasis:names:tc:xacml:subject:access-subject"/>
<attribute-value>admin</attribute-value>
</subject-match>
</subject-class>
</subject>
</subjects>
.... etc ...
</target>
</rule>
This syntax allows us to reason about a
subject of a rule. (Same applies to resource).
It states not only how to match subject attribute,
but also what this attribute is, namely a group.
I hope this proposal did not come too late, but if
it did, we can consider it for xacml 1.x
Simon
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC