[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] AA06: clarify computed <Target>s
Text locations: 1) Section 5.1 (PolicySet), explanation of <Target> element (p. 44, lines 1661-1863 in my copy of 18c). 2) Section 5.17 (Policy), explanation of <Target> element (p. 52, lines 2170-2172). Text change: In both locations above, replace "The <Target> element MAY be declared by the creator of the [<PolicySet>|<Policy>] or it MAY be computed from the <Target> elements of the referenced [<PolicySet> and <Policy>|<Rule>] elements, either as an intersection or as a union." with "See Section 5.5 Target for more information about the <Target> element." --------------------- Text location: In Section 5.5 Element <Target>, just before the schema fragment (p. 46, after line 1908 in 18c). Text change: Add "See Section 7.4 Target construction for more information about how a <Target> element may be constructed." --------------------- Text location: following Section "7.3 Policy evaluation". Text change: Add new section as follows: 7.4 Target construction An XACML <PolicySet>, <Policy>, or <Rule> has a <Target> element that specifies the set of Subjects, Resources, and Actions to which the <PolicySet>, <Policy>, or <Rule> applies. The <Target> of a <PolicySet> or <Policy> may be declared by the creator of the <PolicySet> or <Policy>, or may be constructed prior to evaluation of the <PolicySet> or <Policy> from the <Target> elements of the referenced <PolicySet>s, <Policy>s, and <Rule>s. The component that might construct a <Target> dynamically is outside the scope of XACML, but there are two logical methods that might be utilized. In one method, the <Target> of the outer <PolicySet> or <Policy> (the "outer component") is constructed as the union of all the <Target>s of the referenced <PolicySet>s, <Policy>s, or <Rule>s (the "inner components"). In another method, the <Target> of the outer component is constructed as the intersection of all the <Target>s of the inner components. The results of evaluation will be very different depending on which method is chosen: in the first case, the <Target> of the outer component makes it applicable to any Request that matches the <Target> of at least one inner component; in the second case, the <Target> of the outer component makes it applicable only to Requests that match the <Target> of every inner component. Note that computing the intersection of a set of <Target>s is not necessarily easy. It is also not possible to compute a perfect intersection in every case. In cases where the <Target> of a <Policy> is specified by the <Policy> creator, any component <Rule>s in the <Policy> that have the same <Target> may omit the <Target> element. Such <Rule>s inherit the <Target> of the <Policy> in which they are contained. Rationale: How it is constructed should be completely transparent to the XACML policy evaluator, but how it is constructed will affect the results of the policy. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC