OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] extending xacml semantics

We can call out small number of classes, such as group, individual, etc.
My main goal here is to be able to establish hierarchy on subject (or
resource) attributes.
For example, individual is more specific than a group.

Semantics of a class is bound to the attribute. It is most useful to me when
it appears in the 'target'.
Simon

----- Original Message -----
From: "Polar Humenn" <polar@syr.edu>
To: "Simon Godik" <simon@godik.com>
Cc: <xacml@lists.oasis-open.org>
Sent: Monday, September 09, 2002 6:42 AM
Subject: Re: [xacml] extending xacml semantics


>
> First of all, what subject classes are you going to have?
>
> What do they really mean? And do they "mean" the same thing in all
> enterprises?
>
> How do you find it limiting not to have some "semantics" tied to the
> attribute?
>
> -Polar
>
>
> On Sun, 8 Sep 2002, Simon Godik wrote:
>
> > Currently there is no semantics associated with the 'subject' and
'resource' definition in the 'target' of a rule.
> > The only thing we do is match attribute designator with attribute value.
> >
> > Although there was a decision made not to have such semantics, I find it
limiting.
> >
> > I propose to allow new elements in the rule target that convey semantics
of an attribute.
> >
> > It is accomplished by wrapping subject-match with <subject-class>
element, like this:
> >
> > <rule>
> >     <target>
> >         <subjects>
> >             <subject>
> >                 <subject-class
class-id="urn:oasis:names:tc:xacml:1.0:subject:class:group"> <-- this line
is new
> >                     <subject-match match-id="function:string-equal">
> >                         <subject-attribute-designator
attribute-id="security-role"
> >
category="urn:oasis:names:tc:xacml:subject:access-subject"/>
> >                         <attribute-value>admin</attribute-value>
> >                     </subject-match>
> >                 </subject-class>
> >             </subject>
> >         </subjects>
> >     .... etc ...
> >     </target>
> > </rule>
> >
> > This syntax allows us to reason about a subject of a rule. (Same applies
to resource).
> > It states not only how to match subject attribute, but also what this
attribute is, namely a group.
> >
> > I hope this proposal did not come too late, but if it did, we can
consider it for xacml 1.x
> >
> > Simon
> >
> >
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC