OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Item 60 (Define standard "purpose" attributes)

Tim,

Could you add to your proposal why this should be part of the standard?
As far as I can see there are no issues with implementing this behavior
using a custom recombination algorithm.

Just, if we start going that route, I have a boatload of very useful
attributes to specify, such as "direction" (access on the way in or out)
and so on.

Daniel;


-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com] 
Sent: Friday, February 13, 2004 8:40 AM
To: 'XACML'
Subject: [xacml] Item 60 (Define standard "purpose" attributes)

Colleagues - Here are my proposals for addressing "purpose" in the v2.0
specification.  Please consider and comment.  All the best.  Tim.


1. Append to Section B.6

urn:oasis:names:tc:xacml:2.0:resource:purpose

This attribute, of type http://www.w3.org/2001/XMLSchema#string,
indicates
the purpose for which the data resource was collected.  The owner of the
resource SHOULD be informed and consent to the use of the resource for
this
purpose.  The attribute value MAY be a regular expression.  The
custodian's
privacy policy SHOULD define the semantics of all available values.

2. Append to Section B.7

urn:oasis:names:tc:xacml:2.0:action:purpose

This attribute, of type http://www.w3.org/2001/XMLSchema#string,
indicates
the purpose for which access to the data resource is requested.

Action purposes MAY be organized hierarchically, in which case the value
MUST represent a node in the hierarchy.  XACML does not specify a scheme
for
delimiting hierarchical levels.  However, the chosen scheme MUST be
consistent with the available values for resource purpose (see Section
B.6).

3. Add following Section B.10

B.11  Standard rules

B.11.1  Matching purpose

This rule MUST be used with the
urn:oasis:names:tc:xacml:2.0:rule-combining-algorithm:deny-overrides
rule-combining algorithm.  It stipulates that access SHALL be denied
unless
the purpose for which access is requested matches, by regular-expression
match, the purpose for which the data resource was collected.

<?xml version="1.0" encoding="UTF-8"?>
<Rule xmlns="urn:oasis:xacml:2.0:policy:schema:wd:06"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:xacml:2.0:policy:schema:wd:06
D:\MYDATA~1\Standards\xacml\v2.0\DRD2FC~1\oasis-xacml-2_0-policy-schema-
wd-0
6.xsd" RuleId=" urn:oasis:names:tc:xacml:2.0:matching-purpose"
Effect="Permit">
	<Condition
FunctionId="urn:oasis:names:tc:xacml:2.0:function:regexp-string-match">
		<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
		<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
	</Condition>
</Rule>

-----------------------------------------------------------------
Tim Moses
613.270.3183

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro
up.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]