OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] Possible future XACML TC work


>>I assume you're talking about different requests

I'm not talking about different requests.

>> the Target requirements from the two rules can always be combined

Do you mean that we can always combine two rules with different targets but
with the same effect and same condition into a single rule?

How to combine the following two rules?

<Condition id="c1"> <!-- the definition of "c1" -->
  A condition description is here.
</Condition>

<Rule RuleId="r1" Effect="Permit">
  <Target>
    subject-id="Manager" AND action-id="write"
  </Target>
  <Condition ref="c1"> <!-- just a reference -->
</Rule>

<Rule RuleId="r2" Effect="Permit">
  <Target>
    subject-id="Employee" AND action-id="read"
  </Target>
  <Condition ref="c1"> <!-- just a reference -->
</Rule>

-----------------------------------------------------

If the XACML schema allows a rule to have multiple conditions (combined by
"AND" or "OR").
We can write a policy like this.

<Condition id="c1"/>
<Condition id="c2"/>
<Condition id="c3"/>

<Rule id="r1">
  <Condition ref="c1">
  <Condition ref="c2">
</Rule>

<Rule id="r2">
  <Condition ref="c2">
  <Condition ref="c3">
</Rule>

In this case, the evaluation result of "c2" can be reused.

My point is that the condition specification in rules can be composable by
defining
conditions outside rules and referencing the defined conditions from rules.
I think such a composable feature would be useful for the cache of
condition evaluation results.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com


                                                                                                                                   
                      Seth Proctor                                                                                                 
                      <seth.proctor@sun        To:       Satoshi Hada/Japan/IBM@IBMJP                                              
                      .com>                    cc:       Michiharu Kudoh/Japan/IBM@IBMJP, XACML TC <xacml@lists.oasis-open.org>    
                                               Subject:  Re: [xacml] Possible future XACML TC work                                 
                      2003/02/14 00:46                                                                                             
                                                                                                                                   
                                                                                                                                   




> <Condition id="c1"> <!-- the definition of "c1" -->
>   A condition description is here.
> </Condition>
> <Rule id="r1">
>   <Condition ref="c1"> <!-- just a reference -->
> </Rule>
> <Rule id="r2">
>   <Condition ref="c1"> <!-- just a reference -->
> </Rule>

Per my last email, I assume you're talking about different requests, since
this policy doesn't seem all that useful to me. If two rules have the same
condition, then why have two rules? There's no real value that I can see in
writing a policy like this unless you want different Target requirments,
but
the Target requirements from the two rules can always be combined (unless
you
want different Effects, but again I don't see why you form a Policy like
that). Maybe I just need a more concrete example...


seth

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC