OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Proposed A.12 "Matching elements" rewording

Attached is a Microsoft Word document containing my proposed
re-wording of Appendix A.12 Matching elements.

Just for easier reference, a text version of the proposed
appendix section is also attached.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

Attachment: AppendixA12.doc
Description: Proposed revision of A.12 Matching elements

A.1.Matching elements

Matching elements appear in the <Target> element of rules,
policies and policy sets.  They are the following:
<SubjectMatch>
<ResourceMatch>
<ActionMatch>

A matching element contains a MatchId attribute that specifies
the function to be used in performing the match evaluation, an
<AttributeDesignator> or <AttributeSelector> element that
specifies an authorization request attribute, and an attribute
value that must match the specified authorization request
attribute.

The MatchId attribute SHALL specify a standard XACML function
that compares two arguments, returning a result type of
"http://www.w3.org/2001/XMLSchema#boolean";.   The attribute value
specified in the matching element SHALL be supplied to the
MatchId function as its first argument.  An element of the bag
returned by the <AttributeDesignator> or <AttributeSelector>
element SHALL be supplied to the MatchId function as its second
argument[1].  The datatype of the <AttributeDesignator> or
<AttributeSelector> element SHALL match the datatype of the
second argument expected by the MatchId function.  The datatype
of the attribute value SHALL match the datatype of the first
argument expected by the MatchId function.

The XACML standard functions that may be used as a MatchId
attribute value are:
        function: <type>-equal
        function: <type>-greater-than
        function: <type>-greater-than-or-equal
        function: <type>-less-than
        function: <type>-less-than-or-equal
        function: <type>-match
Functions that are strictly within an extension to XACML SHALL
NOT appear as a value for the MatchId attribute.  Restricting the
MatchId attribute to XACML standard functions facilitates the use
of indexing to find the applicable policy for a particular
authorization request.

The evaluation semantics for a matching element is as follows.
If an operational error were to occur while evaluating the
<AttributeDesignator> or <AttributeSelector> element, then the
result of the entire expression SHALL be "Indeterminate".  If the
<AttributeDesignator> or <AttributeSelector> element were to
evaluate to an empty bag, then the result of the expression SHALL
be "False".  Otherwise, the MatchId function SHALL be applied
between the explicit attribute value and each element of the bag
returned from the <AttributeDesignator> or <AttributeSelector>
element.  If at least one of those function applications were to
evaluate to "True", then the result of the entire expression
SHALL be "True".  Otherwise, if at least one of the function
applications results in "Indeterminate", then the result SHALL be
"Indeterminate".  Finally, only if all function applications
evaluate to "False", the result of the entire expression SHALL be
"False".

It is possible to express the semantics of a target matching
element in a condition.  For instance, the target  match
expression that compares a "subject-name" starting with the name
"John" can be expressed as follows:

<SubjectMatch
      MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
    <SubjectAttributeDesignator
          AttributeId="urn:oasis:names:tc:xacml:1.0:subject-id"
          DataType="http://www.w3.org/2001/XMLSchema#string"/>
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>John.*</AttributeValue>
</SubjectMatch>

Alternatively, the same match semantics can be expressed as an
<Apply> element in a condition by using the
"urn:oasis:names:tc:xacml:1.0:function:any-of" function, as
follows:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
    <Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"/>
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>John.*</AttributeValue>
    <SubjectAttributeDesignator
         AttributeId="urn:oasis:names:tc:xacml:1.0:subject-id"
         DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>

[1] The order of the arguments specified in a matching element is
the reverse of the order of the arguments passed to the MatchId
function.  The order of the arguments specified in a matching
element is also the reverse of the order of the arguments
specified in a Condition or Apply element in a Rule, even if the
function specified in the Condition or Apply FunctionId attribute
is the same function specified in a MatchId attribute.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC