[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Rule element
Proposed XACML 1.1 Solution for Obligations in Rule element Problem Description =================== XACML 1.0 allows a PolicySet and Policy to include Obligations element but does not allow a Rule to include it. Allowing Obligations element to Rules could make Policies shorter, particularly when each Rule has the identical target description but different condition expression. In more detail, please refer to http://lists.oasis-open.org/archives/xacml/200303/msg00006.html Proposal ======== Allow XACML <Rule> elements to contains <Obligations> element. There is no need to define new schema or new schema type. <xs:element name="Rule" type="xacml:RuleType"/> <xs:complexType name="RuleType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Target" minOccurs="0"/> <xs:element ref="xacml:Condition" minOccurs="0"/> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="RuleId" type="xs:anyURI" use="required"/> <xs:attribute name="Effect" type="xacml:EffectType" use="required"/> </xs:complexType> Discussion ========== XACML TC decided not to have obligations in rule element to avoid any extra complexity in the specification. Actually, allowing Obligations element in Rule does NOT generate more complexity. Moreover, there is no need to change the semantics. So, allowing obligations in rule element still keeps the spec the same complexity. The description of Section 7.11 only needs minimum modification such that text changes from "PolicySet and Policy may contain one or more obligations" to "PolicySet, Policy and Rule may contain one or more obligations". The description of combining algorithm needs a minimum addition like just inserting one line text "Obligations of the individual rules shall be combined as described in Section 7.11." before line 4637. Since the Obligations element is optional, this extension affects only implementations that supports obligations specified in the current XACML specification. There had been some discussion about insufficient description of the *-combining algorithm, but this extension is orthogonal to that argument.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]