[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] bags and targets. Forwarded message from Seth Proctor
I have the following action item:
0142: [Seth Proctor] bags and targets. Forwarded message from Seth Proctor.
e-mail sent 17 Oct 2002 16:43:04 -0400 (EDT)
http://lists.oasis-open.org/archives/xacml/200210/msg00216.html
ACTION ITEM: [Anne] Write up TENTATIVE RESOLUTION with details spelled out.
STATUS: UNRESOLVED (10/28). See TENTATIVE RESOLUTION.
TENTATIVE RESOLUTION: Create a new XML attribute on Designators
and Selectors to indicate "Must be present". This new
attribute is optional, and may be used in either Target or
Condition. Behavior of indeterminate results in Target where
AND or especially OR is being done (e.g. in multiple subjects
where only one needs to match) needs to be spelled out, but it
should follow behavior of current "and" and "or" functions.
Here is my attempt at writing up the details:
1. In policy schema: Change
<xs:complexType name="AttributeSelectorType">
<xs:attribute name="RequestContextPath" type="xs:string" use="required"/>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
</xs:complexType>
To:
<xs:complexType name="AttributeSelectorType">
<xs:attribute name="RequestContextPath" type="xs:string" use="required"/>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
<xs:attribute name="MustBePresent" type="xs:boolean" use="optional"
default="false"/>
</xs:complexType>
2. In policy schema, Change
<xs:complexType name="AttributeDesignatorType">
<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
<xs:attribute name="Issuer" type="xs:anyURI" use="optional"/>
</xs:complexType>
To:
<xs:complexType name="AttributeDesignatorType">
<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
<xs:attribute name="Issuer" type="xs:anyURI" use="optional"/>
<xs:attribute name="MustBePresent" type="xs:boolean" use="optional"
default="false"/>
</xs:complexType>
3. Section 5.23 Complex type AttributeDesignatorType, append
following to the very end of this section (after Issuer
[Optional] description):
MustBePresent [Optional]
The MustBePresent attribute governs whether the
AttributeDesignator element returns an empty bag or
indeterminate in the case of finding no value for the named
attribute in the request context. If the value can not be
located and the MustBePresent attribute is set to false,
then the AttributeDesignator element SHALL result in an
empty bag. If the value can not be located and the
MustBePresent attribute is set to true, then the
AttributeDesignator element SHALL result in indeterminate.
Regardless of the MustBePresent attribute, if it cannot be
determined whether the attribute is present or not present
in the request context, or if the value of the attribute is
unavailable due to any error, then the AttributeDesignator
element SHALL result in indeterminate.
The default value for the MustBePresent attribute is false.
4. Section 5.29 Element <AttributeSelector>, append following to
the very end of this section (after DataType [Required]
description):
The MustBePresent attribute governs whether the
AttributeSelector element returns an empty bag or
indeterminate in the case of finding no value for the named
attribute in the request context. If the value can not be
located and the MustBePresent attribute is set to false,
then the AttributeSelector element SHALL result in an empty
bag. If the value can not be located and the MustBePresent
attribute is set to true, then the AttributeSelector
element SHALL result in indeterminate. Regardless of the
MustBePresent attribute, if it cannot be determined whether
the attribute is present or not present in the request
context, or if the value of the attribute is unavailable
due to any error, then the AttributeSelector element SHALL
result in indeterminate.
The default value for the MustBePresent attribute is false.
Are there any other places that need a change?
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC