[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Any Subject, Any Resource, Any Action,Any Environment (fwd from Polar)
[The message I just sent was a forward from Polar, in case that was not clear. -Anne] Here is my view: The <Target> serves as an applicability pre-condition on the <Rule>. If there is no <Target>, then there is no pre-condition, and the <Rule> simply applies (given any inherited pre-conditions from the parent Policy). Likewise with <Subjects>, <Resources>, ... inside a <Target>: each is a pre-condition on <Subjects>, etc. to which this <Rule> is applicable. If there is no pre-condition, then the <Rule> is applicable to any <Subject>, etc. To me, the <Target> represents applicability narrowing conditions. It seems like you are suggesting that the absence of narrowing conditions means maximum narrowing (i.e. non-applicability), but this does not seem intuitive to me. If there are no narrowing conditions, then the applicability is completely open. I think this interpretation is intuitive, and can be easily reinforced by the text. Anne On 23 January, Anne Anderson writes: [xacml] Any Subject, Any Resource, Any Action, Any Environment (fwd from Polar) > From: Anne Anderson <Anne.Anderson@Sun.COM> > To: XACML TC <xacml@lists.oasis-open.org> > Subject: [xacml] Any Subject, Any Resource, Any Action, > Any Environment (fwd from Polar) > Date: Fri, 23 Jan 2004 12:41:09 -0500 > > I think I may have misunderstood the approach before, or just didn't read > it carefully enough. So, if I am reading the right document, the change > on the target is that, NOW, the sub-elements of <Target> are OPTIONAL. > Whereas, previously they had been REQUIRED. Correct? (This diffs I see do > not seem reflect this change). > > <Target> has always been a conjunctive sequence of its subordinate > elements. Now, due to the optionality of it subordinates, you may now end > up with an empty conjunctive sequence, which is commonly said to be > "true", and therefore an "empty" target evaluates to "Match". > > If I've got the intent wrong on any of the following please let me know: > > So, now, an empty target: > > <Target> > </Target> > > has the same meaning as: > > <Target> > <AnySubject/><AnyResource/><AnyAction/><AnyEnvironment/> > </Target> > > Correct? Therefore, this approach also means that you may have > > <Target> > <Resources><Resource>....</Resource></Resources> > </Target> > > with the resulting applicability predicate concerned with just the listed > resources. > > This approach is logically consistent, as long as we can agree that > > <Target> > <AnySubjects> > <Resources><Resource>....</Resource></Resources> > <AnyAction> > <AnyEnvironment> > </Target> > > has the same meaning as the <Target> immediately above, and that > > <Target> > <Subjects> > </Subjects> > <AnyResource/> > <AnyAction/> > <AnyEvironment/> > </Target> > > (or any other target with an empty disjunctive subordinate) always > evaluates to "No-Match". > > I don't know if this is an issue, but we should maintain <AnySubject>, etc > for backward compatibility reasons. > > Cheers, > -Polar > > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php. > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]