OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Ruleelement

with this proposal i assume that the 'combining' mechanism will not
change from the current spec: it will be an implicit AND for all
returned obligations (the PEP will have to sort it out). is this correct?


Michiharu Kudoh wrote:
> Proposed XACML 1.1 Solution for Obligations in Rule element
> Problem Description
> ===================
> XACML 1.0 allows a PolicySet and Policy to include Obligations
> element but does not allow a Rule to include it.
> Allowing Obligations element to Rules could make Policies shorter,
> particularly when each Rule has the identical target description
> but different condition expression. In more detail, please refer to
> http://lists.oasis-open.org/archives/xacml/200303/msg00006.html
> Proposal
> ========
> Allow XACML <Rule> elements to contains <Obligations> element.
> There is no need to define new schema or new schema type.
> <xs:element name="Rule" type="xacml:RuleType"/>
> <xs:complexType name="RuleType">
>       <xs:sequence>
>             <xs:element ref="xacml:Description" minOccurs="0"/>
>             <xs:element ref="xacml:Target" minOccurs="0"/>
>             <xs:element ref="xacml:Condition" minOccurs="0"/>
>             <xs:element ref="xacml:Obligations" minOccurs="0"/>
>       </xs:sequence>
>       <xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
>       <xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
> </xs:complexType>
> Discussion
> ==========
> XACML TC decided not to have obligations in rule element to avoid
> any extra complexity in the specification. Actually, allowing
> Obligations element in Rule does NOT generate more complexity.
> Moreover, there is no need to change the semantics. So, allowing
> obligations in rule element still keeps the spec the same complexity.
> The description of Section 7.11 only needs minimum
> modification such that text changes from "PolicySet and Policy may
> contain one or more obligations" to "PolicySet, Policy and Rule may
> contain one or more obligations".
> The description of combining algorithm needs a minimum addition
> like just inserting one line text "Obligations of the individual
> rules shall be combined as described in Section 7.11." before
> line 4637.
> Since the Obligations element is optional, this extension
> affects only implementations that supports obligations specified
> in the current XACML specification.
> There had been some discussion about insufficient description
> of the *-combining algorithm, but this extension is orthogonal
> to that argument.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]