[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] CR 144: function "present" needs to be fixed.
On Wed, 23 Oct 2002, Polar Humenn wrote: > I think this CR should be 145, not 144, sorry, but I didn't want to change > the subject line, lest I mess up the thread, an Anne will beat me with a > threading stick. :^) > > I've got another proposal to handle the cases where we need to have > predicates for the presence of attribute values, for action, resources, > and subjects. > > The basic upshot is the following: > > The following correspond to their *AttributeDesignator counterparts: > > o action-attribute-is-present > o action-attribute-must-be-present > o resource-attribute-is-present > o resource-attribute-must-be-present > o subject-attribute-is-present > o subject-attribute-must-be-present > o subject-attribute-is-present-where > o subject-attribute-must-be-present-where > > The following correspond to the AttributeSelector element: > o attribute-is-present > o attribute-must-be-present > > So, I now suggest to replace the last bullet & paragraph (i.e. "present" > of Section A.14.5 Logical Functions with the following: And of course I forgot environment attributes: So the whole thing looks like: o action-attribute-is-present This function SHALL take two arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <ActionAttributeDesignator> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <ActionAttributeDesignator> element. This expression SHALL result in "true" if the named attribute can be located in the request context. A result of "true" means that an <ActionAttributeDesignator> element for this named attribute will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, then this expression SHALL result in "false". A result of "false" means that an <ActionAttributeDesignator> element for this named attribute will return an empty bag. If it cannot be determined whether the attribute is present or not present in the request context, or its value is unavailable, then the expression SHALL result in "indeterminate". o action-attribute-must-be-present This function SHALL take two arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <ActionAttributeDesignator> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <ActionAttributeDesignator> element. This expression SHALL result in "true" if the named attribute can be located in the request context. A result of "true" means that an <ActionAttributeDesignator> element for this named attribute will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, which means that an <ActionAttributeDesignator> element for this named attribute will return an empty bag, this expression SHALL result in "indeterminate". If it cannot be determined whether the attribute is present or not present in the request context, or its value is unavailable, then the expression SHALL result in "indeterminate". o resource-attribute-is-present This function SHALL take two arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <ResourceAttributeDesignator> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <ResourceAttributeDesignator> element. This expression SHALL result in "true" if the named attribute can be located in the request context. A result of "true" means that an <ResourceAttributeDesignator> element for this named attribute will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, then this expression SHALL result in "false". A result of "false" means that an <ResourceAttributeDesignator> element for this named attribute will return an empty bag. If it cannot be determined whether the attribute is present or not present in the request context, or its value is unavailable, then the expression SHALL result in "indeterminate". o resource-attribute-must-be-present This function SHALL take two arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <ResourceAttributeDesignator> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <ResourceAttributeDesignator> element. This expression SHALL result in "true" if the named attribute can be located in the request context. A result of "true" means that an <ResourceAttributeDesignator> element for this named attribute will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, which means that an <ResourceAttributeDesignator> element for this named attribute will return an empty bag, this expression SHALL result in "indeterminate". If it cannot be determined whether the attribute is present or not present in the request context, or its value is unavailable, then the expression SHALL result in "indeterminate". o subject-attribute-is-present This function SHALL take two arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <SubjectAttributeDesignator> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <SubjectAttributeDesignator> element. This expression SHALL result in "true" if the named attribute can be located in the request context. A result of "true" means that an <SubjectAttributeDesignator> element for this named attribute will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, then this expression SHALL result in "false". A result of "false" means that an <SubjectAttributeDesignator> element for this named attribute will return an empty bag. If it cannot be determined whether the attribute is present or not present in the request context, or its value is unavailable, then the expression SHALL result in "indeterminate". o subject-attribute-must-be-present This function SHALL take two arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <SubjectAttributeDesignator> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <SubjectAttributeDesignator> element. This expression SHALL result in "true" if the named attribute can be located in the request context. A result of "true" means that an <SubjectAttributeDesignator> element for this named attribute will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, which means that an <SubjectAttributeDesignator> element for this named attribute will return an empty bag, this expression SHALL result in "indeterminate". If it cannot be determined whether the attribute is present or not present in the request context, or its value is unavailable, then the expression SHALL result in "indeterminate". o subject-attribute-is-present-where This function SHALL take three or more arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <SubjectAttributeDesignatorWhere> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <SubjectAttributeDesignatorWhere> element. The third and subsequent arguments SHALL be <SubjectMatch> elements. This expression SHALL result in "true" if the named attribute named by "AttributeId" and "DataType" XML attributes can be located in the particular subject in the request context of which all the given <SubjectMatch> expressions evaluate to "true". A result of "true" means that a <SubjectAttributeDesignatorWhere> element for this named attribute and identical <SubjectMatch> elements will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, then this expression SHALL result in "false". A result of "false" means that an <SubjectAttributeDesignatorWhere> element for this named attribute will return an empty bag. If it cannot be determined whether the attribute is present or not present in the request context, its value is unavailable, or any of the <SubjectMatch> elements evaluate to "indeterminate", then the expression SHALL result in "indeterminate". o subject-attribute-must-be-present-where This function SHALL take three or more arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <SubjectAttributeDesignatorWhere> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <SubjectAttributeDesignatorWhere> element. The third and subsequent arguments SHALL be <SubjectMatch> elements. This expression SHALL result in "true" if the named attribute named by "AttributeId" and "DataType" XML attributes can be located in the particular subject in the request context of which all the given <SubjectMatch> expressions evaluate to "true". A result of "true" means that a <SubjectAttributeDesignatorWhere> element for this named attribute and identical <SubjectMatch> elements will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, which means that the corresponding <SubjectAttributeDesignatorWhere> element will return an empty bag, this expression SHALL result in "indeterminate". If it cannot be determined whether the attribute is present or not present in the request context, its value is unavailable, or any of the <SubjectMatch> elements evaluate to "indeterminate", then the expression SHALL result in "indeterminate". o evironment-attribute-is-present This function SHALL take two arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <EnvironmentAttributeDesignator> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <EnvironmentAttributeDesignator> element. This expression SHALL result in "true" if the named attribute can be located in the request context. A result of "true" means that an <EnvironmentAttributeDesignator> element for this named attribute will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, then this expression SHALL result in "false". A result of "false" means that an <EnvironmentAttributeDesignator> element for this named attribute will return an empty bag. If it cannot be determined whether the attribute is present or not present in the request context, or its value is unavailable, then the expression SHALL result in "indeterminate". o environment-attribute-must-be-present This function SHALL take two arguments. The first argument SHALL be an attribute value of type "xs:QName" as used in the "AttributeId" XML attribute of an <EnvironmentAttributeDesignator> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <EnvironmentAttributeDesignator> element. This expression SHALL result in "true" if the named attribute can be located in the request context. A result of "true" means that an <EnvironmentAttributeDesignator> element for this named attribute will return a bag consisting of at least one element. If no value can be found for the attribute in the request context, which means that an <EnvironmentAttributeDesignator> element for this named attribute will return an empty bag, this expression SHALL result in "indeterminate". If it cannot be determined whether the attribute is present or not present in the request context, or its value is unavailable, then the expression SHALL result in "indeterminate". o attribute-is-present This function SHALL take two arguments. The first argument SHALL be an argument of type "xs:string" that is an XPath expression that is used in the "RequestContextPath" XML attribute of the <AttributeSelector> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <AttributeSelector> element. This expression SHALL result in "true" if the value can be found. A result of "true" means that an <AttributeSelector> element for this named attribute SHALL return a bag consisting of at least one element. If no value can be found, then this expression SHALL result in "false". A result of "false" means that the corresponding <AttributeSelector> element SHALL return an empty bag. If it cannot be determined that a value for this XPath expression is present or not present, or the value is unavailable, then the expression SHALL result in "indeterminate". o attribute-must-be-present This function SHALL take two arguments. The first argument SHALL be an argument of type "xs:string" that is an XPATH expression that is used in the "RequestContextPath" XML attribute of the <AttributeSelector> element. The second argument SHALL be an attribute value of type "xs:QName" containing the identity of the data type as used in the "DataType" XML attribute of the <AttributeSelector> element. This expression SHALL result in "true" if the value can be found. A result of "true" means that an <AttributeSelector> element for this named attribute SHALL return a bag consisting of at least one element. If no value can be found, then this expression SHALL result in "false", which means that the corresponding <AttributeSelector> element SHALL return an empty bag, this expression SHALL result in "indeterminate". If it cannot be determined that a value for this XPath expression is present or not present, or the value is unavailable, then the expression SHALL result in "indeterminate".
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC