OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Proposal on item 7 ConditionReference





>7. ConditionReference
>
>  General proposal now accepted.  Waiting for the specific
>  line-by-line specification changes.

The following is a proposal on Item 7: ConditionReference

Regarding the motivating examples, please refer to the original draft
proposal:
http://lists.oasis-open.org/archives/xacml/200304/msg00039.html

1. Overview

This proposal extends XACML 1.1 to support more succinct condition
specification. The extension allows policy writers to define a set of
condition expressions at a place and refer to it from inside the policy.
This condition reference does not extend beyond the policy boundary to meet
the agreement that the minimum administration unit is a policy. The
extension consists of two parts: condition-level reference and apply-level
reference.

Condition-level reference allows a Rule to contain a ConditionIdReference
element as an alternative to a Condition element.  The ConditionReference
would identify a ConditionDef element specified below Policy element. This
allows a single Condition to be re-used in Rules under different Targets. A
ConditionId attribute is added to the ConditionDef element to support this.

To support finer-grained condition reference, apply-level reference allows
a condition or apply to contain a ApplyIdReference element as an
alternative to an Apply element. The ApplyReference would identify a
ApplyDef element specified below Policy element. This allows a single Apply
to be re-used in Conditions or Apply in Rules under different Conditions
and Targets. An ApplyId attribute is added to the ApplyDef element to
support this.

2. Sample policy specifications

<Policy>
  <ConditionDef ConditionId="CheckAgeBetween20-60"
FunctionId="...function:and">
    <Apply FunctionId="...integer-greater-than-or-equal">
       ... age is equal or greater than 20 ...
    <Apply FunctionId="...integer-less-than-or-equal">
       ... age is equal or less than 60 ...
  </Condition>
  <Rule Effect = "Permit">
    <Target>... target 1
    <ConditionIdReference>CheckAgeBetween20-60</ConditionIdReference>
  </Rule>
  <Rule Effect = "Permit">
    <Target> ... target 2
    <ConditionIdReference>CheckAgeBetween20-60</ConditionIdReference>
  </Rule>
</Policy>


3. Specification modifications
(based on the XACML 1.1 pdf doc as of Aug 7, 2003)

+ Line 2083, Section 5.20, insert
<xs:element ref="xacml:ConditionDef" minOccurs="0"/>
<xs:element ref="xacml:ApplyDef" minOccurs="0"/>

+ Line 2105, Section 5.20, insert
<ConditionDef> [Optional]
Defines a set of condition expressions referred from the rules in the
enclosing policy.

<ApplyDef> [Optional]
Defines a set of apply expressions referred from the rules in the enclosing
policy.

+ Line 2135, new Section 5.22 and 5.23, insert
5.22. Element <ConditionDef>
The <ConditionDef> element SHALL specify a set of condition expressions
referred from the rules in the enclosing policy.

<xs:element name="ConditionDef" type="xacml:ConditionDefType"/>
<xs:complexType name="xacml:ConditionDefType">
  <xs:complexContent>
    <xs:extension base="xacml:ApplyType">
      <xs:attribute name="ConditionId" type="xs:anyURI" use="required" />
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

5.23. Element <ApplyDef>
The <ApplyDef> element SHALL specify a set of apply expressions referred
from the rules in the enclosing policy.

<xs:element name="ApplyDef" type="xacml:ApplyDefType"/>
<xs:complexType name="xacml:ApplyDefType">
  <xs:complexContent>
    <xs:extension base="xacml:ApplyType">
      <xs:attribute name="ApplyId" type="xs:anyURI" use="required" />
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

+ Line 2143, old Section 5.22, insert
<xs:element ref="xacml:ConditionIdReference" minOccurs="0"/>

+ Line 2165, Section 5.22, insert
<ConditionIdReference> [Optional]
The <xacml:ConditionIdReference> element SHALL be used to reference a
<ConditionDef> element by id. If <ConditionIdReference> is a URL, then it
MAY be resolvable to the <Condition>. The mechanism for resolving a
condition reference to the corresponding condition is outside the scope of
this specification.
<xs:element name="ConditionIdReference" type="xs:anyURI"/>
Element <ConditionIdReference> is of xs:anyURI simple type.

+ Line 2182, Section 5.25, modify the line
call. The <Apply> element can be applied to any combination of <Apply>,
<ApplyIdReference>,

+ Line 2190, Section 5.25, insert
<xs:element ref="xacml:ApplyIdReference"/>

+ Line 2208, Section 5.25, insert
<ApplyIdReference> [Optional]
A function call reference.


4. Schema modifications
The following lists schema fragments affected by this proposal.

<xs:complexType name="PolicyType">
      <xs:sequence>
            <xs:element ref="xacml:Description" minOccurs="0"/>
            <xs:element ref="xacml:PolicyDefaults" minOccurs="0"/>
            <xs:element ref="xacml:ConditionDef" minOccurs="0"/>
            <xs:element ref="xacml:ApplyDef" minOccurs="0"/>
            <xs:element ref="xacml:Target"/>
            <xs:element ref="xacml:Rule" minOccurs="0"
maxOccurs="unbounded"/>
            <xs:element ref="xacml:Obligations" minOccurs="0"/>
      </xs:sequence>
      <xs:attribute name="PolicyId" type="xs:anyURI" use="required"/>
      <xs:attribute name="RuleCombiningAlgId" type="xs:anyURI"
use="required"/>
</xs:complexType>

<xs:element name="ConditionDef" type="xacml:ConditionDefType"/>
<xs:complexType name="xacml:ConditionDefType">
  <xs:complexContent>
    <xs:extension base="xacml:ApplyType">
      <xs:attribute name="ConditionId" type="xs:anyURI" use="required" />
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

<xs:element name="ApplyDef" type="xacml:ApplyDefType"/>
<xs:complexType name="xacml:ApplyDefType">
  <xs:complexContent>
    <xs:extension base="xacml:ApplyType">
      <xs:attribute name="ApplyId" type="xs:anyURI" use="required" />
    </xs:extension>
  </xs:complexContent>
</xs:complexType>

<xs:complexType name="RuleType">
      <xs:sequence>
            <xs:element ref="xacml:Description" minOccurs="0"/>
            <xs:element ref="xacml:Target" minOccurs="0"/>
            <xs:element ref="xacml:Condition" minOccurs="0"/>
            <xs:element ref="xacml:ConditionIdReference" minOccurs="0"/>
      </xs:sequence>
      <xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
      <xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
</xs:complexType>

<xs:complexType name="ApplyType">
      <xs:choice minOccurs="0" maxOccurs="unbounded">
            <xs:element ref="xacml:Apply"/>
            <xs:element ref="xacml:ApplyIdReference"/>
            <xs:element ref="xacml:Function"/>
            <xs:element ref="xacml:AttributeValue"/>
            <xs:element ref="xacml:SubjectAttributeDesignator"/>
            <xs:element ref="xacml:ResourceAttributeDesignator"/>
            <xs:element ref="xacml:ActionAttributeDesignator"/>
            <xs:element ref="xacml:EnvironmentAttributeDesignator"/>
            <xs:element ref="xacml:AttributeSelector"/>
      </xs:choice>
      <xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
      <!-- Legal types for the first and subsequent operands are defined in
the accompanying table -->
</xs:complexType>

Best,
Michiharu

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]