OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] CR 144: function "present" needs to be fixed.



I think this CR should be 145, not 144, sorry, but I didn't want to change
the subject line, lest I mess up the thread, an Anne will beat me with a
threading stick. :^)

I've got another proposal to handle the cases where we need to have
predicates for the presence of attribute values, for action, resources,
and subjects.

The basic upshot is the following:

The following correspond to their *AttributeDesignator counterparts:

o action-attribute-is-present
o action-attribute-must-be-present
o resource-attribute-is-present
o resource-attribute-must-be-present
o subject-attribute-is-present
o subject-attribute-must-be-present
o subject-attribute-is-present-where
o subject-attribute-must-be-present-where

The following correspond to the AttributeSelector element:
o attribute-is-present
o attribute-must-be-present

So, I now suggest to replace the last bullet & paragraph (i.e. "present"
of Section A.14.5 Logical Functions with the following:


o action-attribute-is-present

This function SHALL take two arguments. The first argument SHALL be an
attribute value of type "xs:QName" as used in the "AttributeId" XML
attribute of an <ActionAttributeDesignator> element. The second argument
SHALL be an attribute value of type "xs:QName" containing the identity of
the data type as used in the "DataType" XML attribute of the
<ActionAttributeDesignator> element. This expression SHALL result in
"true" if the named attribute can be located in the request context. A
result of "true" means that an <ActionAttributeDesignator> element for
this named attribute will return a bag consisting of at least one
element. If no value can be found for the attribute in the request
context, then this expression SHALL result in "false". A result of
"false" means that an <ActionAttributeDesignator> element for this named
attribute will return an empty bag. If it cannot be determined whether
the attribute is present or not present in the request context, or its
value is unavailable, then the expression SHALL result in
"indeterminate".


o action-attribute-must-be-present

This function SHALL take two arguments. The first argument SHALL be an
attribute value of type "xs:QName" as used in the "AttributeId" XML
attribute of an <ActionAttributeDesignator> element. The second argument
SHALL be an attribute value of type "xs:QName" containing the identity of
the data type as used in the "DataType" XML attribute of the
<ActionAttributeDesignator> element. This expression SHALL result in
"true" if the named attribute can be located in the request context. A
result of "true" means that an <ActionAttributeDesignator> element for
this named attribute will return a bag consisting of at least one
element. If no value can be found for the attribute in the request
context, which means that an <ActionAttributeDesignator> element for this
named attribute will return an empty bag, this expression SHALL result in
"indeterminate". If it cannot be determined whether the attribute is
present or not present in the request context, or its value is
unavailable, then the expression SHALL result in "indeterminate".


o resource-attribute-is-present

This function SHALL take two arguments. The first argument SHALL be an
attribute value of type "xs:QName" as used in the "AttributeId" XML
attribute of an <ResourceAttributeDesignator> element. The second
argument SHALL be an attribute value of type "xs:QName" containing the
identity of the data type as used in the "DataType" XML attribute of the
<ResourceAttributeDesignator> element. This expression SHALL result in
"true" if the named attribute can be located in the request context. A
result of "true" means that an <ResourceAttributeDesignator> element for
this named attribute will return a bag consisting of at least one
element. If no value can be found for the attribute in the request
context, then this expression SHALL result in "false". A result of
"false" means that an <ResourceAttributeDesignator> element for this
named attribute will return an empty bag. If it cannot be determined
whether the attribute is present or not present in the request context,
or its value is unavailable, then the expression SHALL result in
"indeterminate".


o resource-attribute-must-be-present

This function SHALL take two arguments. The first argument SHALL be an
attribute value of type "xs:QName" as used in the "AttributeId" XML
attribute of an <ResourceAttributeDesignator> element. The second
argument SHALL be an attribute value of type "xs:QName" containing the
identity of the data type as used in the "DataType" XML attribute of the
<ResourceAttributeDesignator> element. This expression SHALL result in
"true" if the named attribute can be located in the request context. A
result of "true" means that an <ResourceAttributeDesignator> element for
this named attribute will return a bag consisting of at least one
element. If no value can be found for the attribute in the request
context, which means that an <ResourceAttributeDesignator> element for
this named attribute will return an empty bag, this expression SHALL
result in "indeterminate". If it cannot be determined whether the
attribute is present or not present in the request context, or its value
is unavailable, then the expression SHALL result in "indeterminate".


o subject-attribute-is-present

This function SHALL take two arguments. The first argument SHALL be an
attribute value of type "xs:QName" as used in the "AttributeId" XML
attribute of an <SubjectAttributeDesignator> element. The second argument
SHALL be an attribute value of type "xs:QName" containing the identity of
the data type as used in the "DataType" XML attribute of the
<SubjectAttributeDesignator> element. This expression SHALL result in
"true" if the named attribute can be located in the request context. A
result of "true" means that an <SubjectAttributeDesignator> element for
this named attribute will return a bag consisting of at least one
element. If no value can be found for the attribute in the request
context, then this expression SHALL result in "false". A result of
"false" means that an <SubjectAttributeDesignator> element for this named
attribute will return an empty bag. If it cannot be determined whether
the attribute is present or not present in the request context, or its
value is unavailable, then the expression SHALL result in
"indeterminate".


o subject-attribute-must-be-present

This function SHALL take two arguments. The first argument SHALL be an
attribute value of type "xs:QName" as used in the "AttributeId" XML
attribute of an <SubjectAttributeDesignator> element. The second argument
SHALL be an attribute value of type "xs:QName" containing the identity of
the data type as used in the "DataType" XML attribute of the
<SubjectAttributeDesignator> element. This expression SHALL result in
"true" if the named attribute can be located in the request context. A
result of "true" means that an <SubjectAttributeDesignator> element for
this named attribute will return a bag consisting of at least one
element. If no value can be found for the attribute in the request
context, which means that an <SubjectAttributeDesignator> element for
this named attribute will return an empty bag, this expression SHALL
result in "indeterminate". If it cannot be determined whether the
attribute is present or not present in the request context, or its value
is unavailable, then the expression SHALL result in "indeterminate".


o subject-attribute-is-present-where

This function SHALL take three or more arguments. The first argument
SHALL be an attribute value of type "xs:QName" as used in the
"AttributeId" XML attribute of an <SubjectAttributeDesignatorWhere>
element. The second argument SHALL be an attribute value of type
"xs:QName" containing the identity of the data type as used in the
"DataType" XML attribute of the <SubjectAttributeDesignatorWhere>
element. The third and subsequent arguments SHALL be <SubjectMatch>
elements. This expression SHALL result in "true" if the named attribute
named by "AttributeId" and "DataType" XML attributes can be located in
the particular subject in the request context of which all the given
<SubjectMatch> expressions evaluate to "true". A result of "true" means
that a <SubjectAttributeDesignatorWhere> element for this named attribute
and identical <SubjectMatch> elements will return a bag consisting of at
least one element. If no value can be found for the attribute in the
request context, then this expression SHALL result in "false". A result
of "false" means that an <SubjectAttributeDesignatorWhere> element for
this named attribute will return an empty bag. If it cannot be determined
whether the attribute is present or not present in the request context,
its value is unavailable, or any of the <SubjectMatch> elements evaluate
to "indeterminate", then the expression SHALL result in "indeterminate".


o subject-attribute-must-be-present-where

This function SHALL take three or more arguments. The first argument
SHALL be an attribute value of type "xs:QName" as used in the
"AttributeId" XML attribute of an <SubjectAttributeDesignatorWhere>
element. The second argument SHALL be an attribute value of type
"xs:QName" containing the identity of the data type as used in the
"DataType" XML attribute of the <SubjectAttributeDesignatorWhere>
element. The third and subsequent arguments SHALL be <SubjectMatch>
elements. This expression SHALL result in "true" if the named attribute
named by "AttributeId" and "DataType" XML attributes can be located in
the particular subject in the request context of which all the given
<SubjectMatch> expressions evaluate to "true". A result of "true" means
that a <SubjectAttributeDesignatorWhere> element for this named attribute
and identical <SubjectMatch> elements will return a bag consisting of at
least one element. If no value can be found for the attribute in the
request context, which means that the corresponding
<SubjectAttributeDesignatorWhere> element will return an empty bag, this
expression SHALL result in "indeterminate". If it cannot be determined
whether the attribute is present or not present in the request context,
its value is unavailable, or any of the <SubjectMatch> elements evaluate
to "indeterminate", then the expression SHALL result in "indeterminate".


o attribute-is-present

This function SHALL take two arguments. The first argument SHALL be an
argument of type "xs:string" that is an XPath expression that is used in
the "RequestContextPath" XML attribute of the <AttributeSelector>
element. The second argument SHALL be an attribute value of type
"xs:QName" containing the identity of the data type as used in the
"DataType" XML attribute of the <AttributeSelector> element. This
expression SHALL result in "true" if the value can be found. A result of
"true" means that an <AttributeSelector> element for this named attribute
SHALL return a bag consisting of at least one element. If no value can be
found, then this expression SHALL result in "false". A result of "false"
means that the corresponding <AttributeSelector> element SHALL return an
empty bag. If it cannot be determined that a value for this XPath
expression is present or not present, or the value is unavailable, then
the expression SHALL result in "indeterminate".


o attribute-must-be-present

This function SHALL take two arguments. The first argument SHALL be an
argument of type "xs:string" that is an XPATH expression that is used in
the "RequestContextPath" XML attribute of the <AttributeSelector>
element. The second argument SHALL be an attribute value of type
"xs:QName" containing the identity of the data type as used in the
"DataType" XML attribute of the <AttributeSelector> element. This
expression SHALL result in "true" if the value can be found. A result of
"true" means that an <AttributeSelector> element for this named attribute
SHALL return a bag consisting of at least one element. If no value can be
found, then this expression SHALL result in "false", which means that the
corresponding <AttributeSelector> element SHALL return an empty bag, this
expression SHALL result in "indeterminate". If it cannot be determined
that a value for this XPath expression is present or not present, or the
value is unavailable, then the expression SHALL result in
"indeterminate".








[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC