[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Possible future XACML TC work
>>I assume you're talking about different requests I'm not talking about different requests. >> the Target requirements from the two rules can always be combined Do you mean that we can always combine two rules with different targets but with the same effect and same condition into a single rule? How to combine the following two rules? <Condition id="c1"> <!-- the definition of "c1" --> A condition description is here. </Condition> <Rule RuleId="r1" Effect="Permit"> <Target> subject-id="Manager" AND action-id="write" </Target> <Condition ref="c1"> <!-- just a reference --> </Rule> <Rule RuleId="r2" Effect="Permit"> <Target> subject-id="Employee" AND action-id="read" </Target> <Condition ref="c1"> <!-- just a reference --> </Rule> ----------------------------------------------------- If the XACML schema allows a rule to have multiple conditions (combined by "AND" or "OR"). We can write a policy like this. <Condition id="c1"/> <Condition id="c2"/> <Condition id="c3"/> <Rule id="r1"> <Condition ref="c1"> <Condition ref="c2"> </Rule> <Rule id="r2"> <Condition ref="c2"> <Condition ref="c3"> </Rule> In this case, the evaluation result of "c2" can be reused. My point is that the condition specification in rules can be composable by defining conditions outside rules and referencing the defined conditions from rules. I think such a composable feature would be useful for the cache of condition evaluation results. Satoshi Hada IBM Tokyo Research Laboratory mailto:satoshih@jp.ibm.com Seth Proctor <seth.proctor@sun To: Satoshi Hada/Japan/IBM@IBMJP .com> cc: Michiharu Kudoh/Japan/IBM@IBMJP, XACML TC <xacml@lists.oasis-open.org> Subject: Re: [xacml] Possible future XACML TC work 2003/02/14 00:46 > <Condition id="c1"> <!-- the definition of "c1" --> > A condition description is here. > </Condition> > <Rule id="r1"> > <Condition ref="c1"> <!-- just a reference --> > </Rule> > <Rule id="r2"> > <Condition ref="c1"> <!-- just a reference --> > </Rule> Per my last email, I assume you're talking about different requests, since this policy doesn't seem all that useful to me. If two rules have the same condition, then why have two rules? There's no real value that I can see in writing a policy like this unless you want different Target requirments, but the Target requirements from the two rules can always be combined (unless you want different Effects, but again I don't see why you form a Policy like that). Maybe I just need a more concrete example... seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC