[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Item 60 (Define standard "purpose" attributes)
Daniel - That's a valid point of view. We have discussed tackling this in an XACML profile document, instead of the core specification. Some ventured the opinion that it would be a simple matter to accommodate (what appeared to be) a fairly common requirement. I don't object to our doing a privacy profile, of which this would form a part. Let's hear what others have to say. All the best. Tim. -----Original Message----- From: Daniel Engovatov [mailto:dengovatov@bea.com] Sent: Friday, February 13, 2004 1:59 PM To: Tim Moses; XACML Subject: RE: [xacml] Item 60 (Define standard "purpose" attributes) Tim, Could you add to your proposal why this should be part of the standard? As far as I can see there are no issues with implementing this behavior using a custom recombination algorithm. Just, if we start going that route, I have a boatload of very useful attributes to specify, such as "direction" (access on the way in or out) and so on. Daniel; -----Original Message----- From: Tim Moses [mailto:tim.moses@entrust.com] Sent: Friday, February 13, 2004 8:40 AM To: 'XACML' Subject: [xacml] Item 60 (Define standard "purpose" attributes) Colleagues - Here are my proposals for addressing "purpose" in the v2.0 specification. Please consider and comment. All the best. Tim. 1. Append to Section B.6 urn:oasis:names:tc:xacml:2.0:resource:purpose This attribute, of type http://www.w3.org/2001/XMLSchema#string, indicates the purpose for which the data resource was collected. The owner of the resource SHOULD be informed and consent to the use of the resource for this purpose. The attribute value MAY be a regular expression. The custodian's privacy policy SHOULD define the semantics of all available values. 2. Append to Section B.7 urn:oasis:names:tc:xacml:2.0:action:purpose This attribute, of type http://www.w3.org/2001/XMLSchema#string, indicates the purpose for which access to the data resource is requested. Action purposes MAY be organized hierarchically, in which case the value MUST represent a node in the hierarchy. XACML does not specify a scheme for delimiting hierarchical levels. However, the chosen scheme MUST be consistent with the available values for resource purpose (see Section B.6). 3. Add following Section B.10 B.11 Standard rules B.11.1 Matching purpose This rule MUST be used with the urn:oasis:names:tc:xacml:2.0:rule-combining-algorithm:deny-overrides rule-combining algorithm. It stipulates that access SHALL be denied unless the purpose for which access is requested matches, by regular-expression match, the purpose for which the data resource was collected. <?xml version="1.0" encoding="UTF-8"?> <Rule xmlns="urn:oasis:xacml:2.0:policy:schema:wd:06" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:xacml:2.0:policy:schema:wd:06 D:\MYDATA~1\Standards\xacml\v2.0\DRD2FC~1\oasis-xacml-2_0-policy-schema- wd-0 6.xsd" RuleId=" urn:oasis:names:tc:xacml:2.0:matching-purpose" Effect="Permit"> <Condition FunctionId="urn:oasis:names:tc:xacml:2.0:function:regexp-string-match"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Condition> </Rule> ----------------------------------------------------------------- Tim Moses 613.270.3183 To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro up.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]