OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Proposal on item 7 ConditionReference





The following is a comparison between two proposals.
Proposal A introduces ConditionDef and ConditionRef.
(I removed no ApplyDef and ApplyRef)
It just allows policy writer to reuse Boolean expressions.
Proposal B introduces VariableDef and VariableRef.
It allows policy writer to reuse any expressions.

Characteristics would be:

Proposal A:
- Coarse-grained reuse  (restricted)
- Expression is reused only at meaningful unit
- No further complexity is introduced

Proposal B:
- Fine-grained reuse (flexible)
- Generic (just like a programming language)
- Fit within the formal type system

Specification examples (identical policy)

- Proposal A:

<Policy>
  <ConditionDef ConditionId="CheckAgeBetween20-60"
                            FunctionId="...function:and">
    <Apply FunctionId="...integer-greater-than-or-equal">
       ... age is equal or greater than 20 ...
    <Apply FunctionId="...integer-less-than-or-equal">
       ... age is equal or less than 60 ...
  </ConditionDef>
  <Rule Effect = "Permit">
    <Target>... target 1
    <ConditionRef>CheckAgeBetween20-60</ConditionRef>
  </Rule>
</Policy>

- Proposal B:

Ex1:

<Policy>
  <VariableDef VarId="var1">
    <Condition ConditionId="CheckAgeBetween20-60"
             FunctionId="...function:and">
      <Apply FunctionId="...integer-greater-than-or-equal">
       ... age is equal or greater than 20 ...
      <Apply FunctionId="...integer-less-than-or-equal">
       ... age is equal or less than 60 ...
    </Condition>
  </VariableDef>
  <Rule Effect = "Permit">
    <Target>... target 1
    <VariableRef VarId="var1"/>
  </Rule>
</Policy>

Ex2:

<Policy>
  <VariableDef VarId="var1">
    <SbjAttrDesignator AttrId="Age" DType="integer"/>
  </VariableDef>
  <VariableDef VarId="var2">
    <AttrValue DType="integer">20</AttrValue>
  </VariableDef>
  <VariableDef VarId="var3">
    <AttrValue DType="integer">60</AttrValue>
  </VariableDef>
  <VariableDef VarId="var4">
    <Apply FunctionId="int-gr-or-equal" DType="integer">
      <VariableRef VarId="var2"/>
      <VariableRef VarId="var1"/>
    </Apply>
  </VariableDef>
  <VariableDef VarId="var5">
    <Apply FunctionId="int-gr-or-equal" DType="integer">
      <VariableRef VarId="var1"/>
      <VariableRef VarId="var3"/>
    </Apply>
  </VariableDef>
  <VariableDef VarId="var6">
    <Apply FunctionId="and" DType="boolean">
      <VariableRef VarId="var4"/>
      <VariableRef VarId="var5"/>
    </Apply>
  </VariableDef>
  <Rule Effect = "Permit">
    <Target>... target 1
    <VariableRef VarId="var6"/>
  </Rule>
</Policy>

Michiharu



                                                                                                                                  
                      Polar Humenn                                                                                                
                      <polar@syr.edu>          To:       Michiharu Kudoh/Japan/IBM@IBMJP                                          
                                               cc:       XACML TC <xacml@lists.oasis-open.org>                                    
                      2003/12/10 02:08         Subject:  Re: [xacml] Proposal on item 7 ConditionReference                        
                                                                                                                                  
                                                                                                                                  
                                                                                                                                  



On Wed, 10 Dec 2003, Michiharu Kudoh wrote:

> OK. Could you briefly summarize pros and cons of both ways, please? Just
> for people who wants to understand the difference between two
> approaches. I will post the two proposals (only boolean val ref or any
> val ref) with the comparison you will make. Actually I can live with
> both.

The "pros" of VariableDef/VariableRef is that you have ONE construct for
associating a variable identifier with a value expression. And one
construct to reference that expression. Simplicity.

I can't really see any "cons" with the approach.

The use of ConditionDef/CondtiionRef ApplyDef/ApplyRef, is that you have
two constructs to do basically the same thing as above, except that one is
restricted to boolean typed expressions, and the other is restricted to
function definitions.

I have a hard time thinking of "pros" to this approach, in relation to the
"cons", which I think are unnecessary restrictions.

Since we have a formal type system within XACML, the type checker will
still have to check that the expression associated with a ConditionDef is
infact a boolean typed expression, and the expression that is associated
with the ApplyDef still has to match the type expression where it is used.
Both approaches must go through the same type rigor.

Also, both appraoches have to deal with use of undefined reference names,
and possibly "unused" defintiions.

Cheers,
-Polar


To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php
.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]