OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] AA06: clarify computed <Target>s

Text locations:
1) Section 5.1 (PolicySet), explanation of <Target>
   element (p. 44, lines 1661-1863 in my copy of 18c).
2) Section 5.17 (Policy), explanation of <Target> element (p. 52,
   lines 2170-2172).

Text change: In both locations above, replace

  "The <Target> element MAY be declared by the creator of the
  [<PolicySet>|<Policy>] or it MAY be computed from the <Target>
  elements of the referenced [<PolicySet> and <Policy>|<Rule>]
  elements, either as an intersection or as a union."

with

  "See Section 5.5 Target for more information about the <Target>
  element."
---------------------
Text location: In Section 5.5 Element <Target>, just before the
schema fragment (p. 46, after line 1908 in 18c).

Text change: Add

  "See Section 7.4 Target construction for more information about
  how a <Target> element may be constructed."
---------------------
Text location: following Section "7.3 Policy evaluation".

Text change: Add new section as follows:

  7.4 Target construction

  An XACML <PolicySet>, <Policy>, or <Rule> has a <Target>
  element that specifies the set of Subjects, Resources, and
  Actions to which the <PolicySet>, <Policy>, or <Rule> applies.
  The <Target> of a <PolicySet> or <Policy> may be declared by
  the creator of the <PolicySet> or <Policy>, or may be
  constructed prior to evaluation of the <PolicySet> or <Policy>
  from the <Target> elements of the referenced <PolicySet>s,
  <Policy>s, and <Rule>s.

  The component that might construct a <Target> dynamically is
  outside the scope of XACML, but there are two logical methods
  that might be utilized.  In one method, the <Target> of the
  outer <PolicySet> or <Policy> (the "outer component") is
  constructed as the union of all the <Target>s of the referenced
  <PolicySet>s, <Policy>s, or <Rule>s (the "inner components").
  In another method, the <Target> of the outer component is
  constructed as the intersection of all the <Target>s of the
  inner components.  The results of evaluation will be very
  different depending on which method is chosen: in the first
  case, the <Target> of the outer component makes it applicable
  to any Request that matches the <Target> of at least one inner
  component; in the second case, the <Target> of the outer
  component makes it applicable only to Requests that match the
  <Target> of every inner component.  Note that computing the
  intersection of a set of <Target>s is not necessarily easy.  It
  is also not possible to compute a perfect intersection in every
  case.

  In cases where the <Target> of a <Policy> is specified by the
  <Policy> creator, any component <Rule>s in the <Policy> that
  have the same <Target> may omit the <Target> element.  Such
  <Rule>s inherit the <Target> of the <Policy> in which they are
  contained.

Rationale: How it is constructed should be completely transparent
to the XACML policy evaluator, but how it is constructed will
affect the results of the policy.
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC