[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Proposed A.12 "Matching elements" rewording
Attached is a Microsoft Word document containing my proposed re-wording of Appendix A.12 Matching elements. Just for easier reference, a text version of the proposed appendix section is also attached. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
Attachment:
AppendixA12.doc
Description: Proposed revision of A.12 Matching elements
A.1.Matching elements Matching elements appear in the <Target> element of rules, policies and policy sets. They are the following: <SubjectMatch> <ResourceMatch> <ActionMatch> A matching element contains a MatchId attribute that specifies the function to be used in performing the match evaluation, an <AttributeDesignator> or <AttributeSelector> element that specifies an authorization request attribute, and an attribute value that must match the specified authorization request attribute. The MatchId attribute SHALL specify a standard XACML function that compares two arguments, returning a result type of "http://www.w3.org/2001/XMLSchema#boolean". The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument. An element of the bag returned by the <AttributeDesignator> or <AttributeSelector> element SHALL be supplied to the MatchId function as its second argument[1]. The datatype of the <AttributeDesignator> or <AttributeSelector> element SHALL match the datatype of the second argument expected by the MatchId function. The datatype of the attribute value SHALL match the datatype of the first argument expected by the MatchId function. The XACML standard functions that may be used as a MatchId attribute value are: function: <type>-equal function: <type>-greater-than function: <type>-greater-than-or-equal function: <type>-less-than function: <type>-less-than-or-equal function: <type>-match Functions that are strictly within an extension to XACML SHALL NOT appear as a value for the MatchId attribute. Restricting the MatchId attribute to XACML standard functions facilitates the use of indexing to find the applicable policy for a particular authorization request. The evaluation semantics for a matching element is as follows. If an operational error were to occur while evaluating the <AttributeDesignator> or <AttributeSelector> element, then the result of the entire expression SHALL be "Indeterminate". If the <AttributeDesignator> or <AttributeSelector> element were to evaluate to an empty bag, then the result of the expression SHALL be "False". Otherwise, the MatchId function SHALL be applied between the explicit attribute value and each element of the bag returned from the <AttributeDesignator> or <AttributeSelector> element. If at least one of those function applications were to evaluate to "True", then the result of the entire expression SHALL be "True". Otherwise, if at least one of the function applications results in "Indeterminate", then the result SHALL be "Indeterminate". Finally, only if all function applications evaluate to "False", the result of the entire expression SHALL be "False". It is possible to express the semantics of a target matching element in a condition. For instance, the target match expression that compares a "subject-name" starting with the name "John" can be expressed as follows: <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">John.*</AttributeValue> </SubjectMatch> Alternatively, the same match semantics can be expressed as an <Apply> element in a condition by using the "urn:oasis:names:tc:xacml:1.0:function:any-of" function, as follows: <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">John.*</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> [1] The order of the arguments specified in a matching element is the reverse of the order of the arguments passed to the MatchId function. The order of the arguments specified in a matching element is also the reverse of the order of the arguments specified in a Condition or Apply element in a Rule, even if the function specified in the Condition or Apply FunctionId attribute is the same function specified in a MatchId attribute.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC