OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] is-present-designators (fwd)

On Tue, 5 Nov 2002, Daniel Engovatov wrote:

> I agree.  They are not critical and the functionality can be temporarily
> added as an extension function if some policy really needs it.

Not quite. The only extension function, by using the XACML way of defining
a new FunctionId, can only do what Simon said, take a bag of elements from
an *AttributeDesignator, of which they have already been retrieved, and
then just count the elements in the bag.

However, I would like to make statements like:

If attribute XXX is present and it does NOT match George then Deny.

A simple use of a subject-match, e.g.

(not (subject-match "string-equals" <subj-attr-desg "XXX"> "George"))

doesn't cut it.

I definately need

(subject-attr-is-present "XXX") and (not (subject-match ....)))

To get the right semantic.

-Polar


> -----Original Message-----
> From: simon godik [mailto:simon@godik.com]
> Sent: Tuesday, November 05, 2002 2:49 PM
> To: XACML
> Subject: Re: [xacml] is-present-designators (fwd)
>
>
> There is potential optimization with is-present elements,
> provided that attribute data storage supports is-present query.
> I propose to defer this optimization to xacml 1.1.
>
> Simon
>
> ----- Original Message -----
> From: "Polar Humenn" <polar@syr.edu>
> To: "XACML" <xacml@lists.oasis-open.org>
> Sent: Tuesday, November 05, 2002 2:46 PM
> Subject: Re: [xacml] is-present-designators (fwd)
>
>
> >
> > On Tue, 5 Nov 2002, Polar Humenn wrote:
> >
> > > There is a way to test if attribute is present without using
> is-present-designator elements:
> > > It is to compare bag size selected by the designator to 0:
> > >
> > > <apply function-id="integer-greater-than">
> > >     <apply function-id="type-bag-size">
> > >         <attribute-designator ..../>
> > >     </apply>
> > >     <attr-val ...>0</attr-val>
> > > </apply>
> >
> > Well, I do agree that is a way, but still it may not be all that
> > efficient.
> >
> > Let's say you have an attribute named "face-print" that contains 2MB of
> > image data. You might have 10 of them.  If you just want to know if its
> > present, using the IsPresent element just may require the request context
> > builder to just see if its there. The comparing the bag size would require
> > the AttributeDesignator, which would actually retrieve them for nothing.
> >
> > -Polar
> >
> >
> >
> >
> >
> > >
> > > My proposal is to drop is-present-attribute-designators
> > >
> > > Simon
> > >
> > >
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
> >
> >
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC