OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] bags and targets. Forwarded message from Seth Proctor

Yup, I agree we should be aligned.  I'll try to reposition and
rephrase these tomorrow.  By the way, in our TENTATIVE RESOLUTION,
we said we needed to be very careful in specifying the behavior
of the evalution of the Target semantics
   AND(Subjects=
          OR(Subject1=
               AND(MatchId1, MatchId2,...),
             ...
             SubjectN=
               AND(MatchId1, ...)),
       Resources=
          AND(MatchId1, ...),
       Actions=
          AND(MatchId1, ...))
around MustBePresent.  After reading the descriptions, however, Seth
(my best "does it make sense to the implementor" critic) decided it
all hung together: we already make it clear in Target Match how to
deal with Indeterminate, and so this just plugs in consistently.  Maybe
this spec is beginning to be internally consistent at last!

Anne

"Polar Humenn" <polar@syr.edu> wrote:
>Date: Tue, 29 Oct 2002 16:27:25 -0500 (EST)
>
>Anne,
>
>If we like what I did with the *IsPresent text, it might be best to align
>the *Designator and Selector text with that. I guess what I am getting at
>is that the operational semantics of MustBePresent are specified in the
>main paragraphs, while the "attribute" descriptions merely explain breifly
>what they are and how they are specified.
>
>-Polar
>
>
> On Tue, 29 Oct 2002, Anne Anderson wrote:
>
>> I have the following action item:
>>
>> 0142: [Seth Proctor] bags and targets. Forwarded message from Seth Proctor.
>>   e-mail sent 17 Oct 2002 16:43:04 -0400 (EDT)
>>   http://lists.oasis-open.org/archives/xacml/200210/msg00216.html
>>
>>   ACTION ITEM: [Anne] Write up TENTATIVE RESOLUTION with details spelled out.
>>
>>   STATUS: UNRESOLVED (10/28).  See TENTATIVE RESOLUTION.
>>
>>   TENTATIVE RESOLUTION: Create a new XML attribute on Designators
>>   and Selectors to indicate "Must be present".  This new
>>   attribute is optional, and may be used in either Target or
>>   Condition.  Behavior of indeterminate results in Target where
>>   AND or especially OR is being done (e.g. in multiple subjects
>>   where only one needs to match) needs to be spelled out, but it
>>   should follow behavior of current "and" and "or" functions.
>>
>> Here is my attempt at writing up the details:
>>
>> 1. In policy schema: Change
>> 	<xs:complexType name="AttributeSelectorType">
>> 		<xs:attribute name="RequestContextPath" type="xs:string" use="required"/>
>> 		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
>> 	</xs:complexType>
>>    To:
>> 	<xs:complexType name="AttributeSelectorType">
>> 		<xs:attribute name="RequestContextPath" type="xs:string" use="required"/>
>> 		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
>>         <xs:attribute name="MustBePresent" type="xs:boolean" use="optional"
>>                                                             
>default="false"/>
>> 	</xs:complexType>
>>
>> 2. In policy schema, Change
>> 	<xs:complexType name="AttributeDesignatorType">
>> 		<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
>> 		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
>> 		<xs:attribute name="Issuer" type="xs:anyURI" use="optional"/>
>> 	</xs:complexType>
>>    To:
>> 	<xs:complexType name="AttributeDesignatorType">
>> 		<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
>> 		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
>> 		<xs:attribute name="Issuer" type="xs:anyURI" use="optional"/>
>>         <xs:attribute name="MustBePresent" type="xs:boolean" use="optional"
>>                                                             
>default="false"/>
>> 	</xs:complexType>
>>
>> 3. Section 5.23 Complex type AttributeDesignatorType, append
>>    following to the very end of this section (after Issuer
>>    [Optional] description):
>>
>>    MustBePresent [Optional]
>>
>>       The MustBePresent attribute governs whether the
>>       AttributeDesignator element returns an empty bag or
>>       indeterminate in the case of finding no value for the named
>>       attribute in the request context.  If the value can not be
>>       located and the MustBePresent attribute is set to false,
>>       then the AttributeDesignator element SHALL result in an
>>       empty bag.  If the value can not be located and the
>>       MustBePresent attribute is set to true, then the
>>       AttributeDesignator element SHALL result in indeterminate.
>>       Regardless of the MustBePresent attribute, if it cannot be
>>       determined whether the attribute is present or not present
>>       in the request context, or if the value of the attribute is
>>       unavailable due to any error, then the AttributeDesignator
>>       element SHALL result in indeterminate.
>>
>>       The default value for the MustBePresent attribute is false.
>>
>> 4. Section 5.29 Element <AttributeSelector>, append following to
>>    the very end of this section (after DataType [Required]
>>    description):
>>
>>       The MustBePresent attribute governs whether the
>>       AttributeSelector element returns an empty bag or
>>       indeterminate in the case of finding no value for the named
>>       attribute in the request context.  If the value can not be
>>       located and the MustBePresent attribute is set to false,
>>       then the AttributeSelector element SHALL result in an empty
>>       bag.  If the value can not be located and the MustBePresent
>>       attribute is set to true, then the AttributeSelector
>>       element SHALL result in indeterminate.  Regardless of the
>>       MustBePresent attribute, if it cannot be determined whether
>>       the attribute is present or not present in the request
>>       context, or if the value of the attribute is unavailable
>>       due to any error, then the AttributeSelector element SHALL
>>       result in indeterminate.
>>
>>       The default value for the MustBePresent attribute is false.
>>
>> Are there any other places that need a change?
>>
>> Anne
>> --
>> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
>> Sun Microsystems Laboratories
>> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
>> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>>
>>
>> ----------------------------------------------------------------
>> To subscribe or unsubscribe from this elist use the subscription
>> manager: <http://lists.oasis-open.org/ob/adm.pl>
>>
>

Anne
------
Anne Anderson          Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
Burlington, MA         781-442-0928

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC