[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Any Subject, Any Resource, Any Action, Any Environment (fwd from Polar)
I think that the way to address this is to define RULE, not Target as a conjunctive sequence or the subordinate elements - including elements of the Target and the condition. Each of the Target elements is logically equivalent to an additional condition. I think that we have to have equivalent treatment of the missing condition and any of the Target element. And I do not know about you, but <AnyEnvironment> makes me shudder. What the heck this is supposed to mean? I strongly agree that we need to make all target elements optional and get rid of the redundant <Any*> elements, and AnyEnvironment in particular. It does not create any inconsistencies. Daniel. -----Original Message----- From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] Sent: Friday, January 23, 2004 9:41 AM To: XACML TC Subject: [xacml] Any Subject, Any Resource, Any Action, Any Environment (fwd from Polar) I think I may have misunderstood the approach before, or just didn't read it carefully enough. So, if I am reading the right document, the change on the target is that, NOW, the sub-elements of <Target> are OPTIONAL. Whereas, previously they had been REQUIRED. Correct? (This diffs I see do not seem reflect this change). <Target> has always been a conjunctive sequence of its subordinate elements. Now, due to the optionality of it subordinates, you may now end up with an empty conjunctive sequence, which is commonly said to be "true", and therefore an "empty" target evaluates to "Match". If I've got the intent wrong on any of the following please let me know: So, now, an empty target: <Target> </Target> has the same meaning as: <Target> <AnySubject/><AnyResource/><AnyAction/><AnyEnvironment/> </Target> Correct? Therefore, this approach also means that you may have <Target> <Resources><Resource>....</Resource></Resources> </Target> with the resulting applicability predicate concerned with just the listed resources. This approach is logically consistent, as long as we can agree that <Target> <AnySubjects> <Resources><Resource>....</Resource></Resources> <AnyAction> <AnyEnvironment> </Target> has the same meaning as the <Target> immediately above, and that <Target> <Subjects> </Subjects> <AnyResource/> <AnyAction/> <AnyEvironment/> </Target> (or any other target with an empty disjunctive subordinate) always evaluates to "No-Match". I don't know if this is an issue, but we should maintain <AnySubject>, etc for backward compatibility reasons. Cheers, -Polar -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro up.php.