RE: [xacml] Item 60 (Define standard "purpose" attributes)

[Tim Moses <tim.moses@entrust.com>]

Daniel - That's a valid point of view.  We have discussed tackling this in
an XACML profile document, instead of the core specification.  Some ventured
the opinion that it would be a simple matter to accommodate (what appeared
to be) a fairly common requirement.  I don't object to our doing a privacy
profile, of which this would form a part.

Let's hear what others have to say.  All the best.  Tim.

-----Original Message-----
From: Daniel Engovatov [mailto:dengovatov@bea.com] 
Sent: Friday, February 13, 2004 1:59 PM
To: Tim Moses; XACML
Subject: RE: [xacml] Item 60 (Define standard "purpose" attributes)


Tim,

Could you add to your proposal why this should be part of the standard? As
far as I can see there are no issues with implementing this behavior using a
custom recombination algorithm.

Just, if we start going that route, I have a boatload of very useful
attributes to specify, such as "direction" (access on the way in or out) and
so on.

Daniel;


-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com] 
Sent: Friday, February 13, 2004 8:40 AM
To: 'XACML'
Subject: [xacml] Item 60 (Define standard "purpose" attributes)

Colleagues - Here are my proposals for addressing "purpose" in the v2.0
specification.  Please consider and comment.  All the best.  Tim.


1. Append to Section B.6

urn:oasis:names:tc:xacml:2.0:resource:purpose

This attribute, of type http://www.w3.org/2001/XMLSchema#string,
indicates
the purpose for which the data resource was collected.  The owner of the
resource SHOULD be informed and consent to the use of the resource for this
purpose.  The attribute value MAY be a regular expression.  The custodian's
privacy policy SHOULD define the semantics of all available values.

2. Append to Section B.7

urn:oasis:names:tc:xacml:2.0:action:purpose

This attribute, of type http://www.w3.org/2001/XMLSchema#string,
indicates
the purpose for which access to the data resource is requested.

Action purposes MAY be organized hierarchically, in which case the value
MUST represent a node in the hierarchy.  XACML does not specify a scheme for
delimiting hierarchical levels.  However, the chosen scheme MUST be
consistent with the available values for resource purpose (see Section B.6).

3. Add following Section B.10

B.11  Standard rules

B.11.1  Matching purpose

This rule MUST be used with the
urn:oasis:names:tc:xacml:2.0:rule-combining-algorithm:deny-overrides
rule-combining algorithm.  It stipulates that access SHALL be denied unless
the purpose for which access is requested matches, by regular-expression
match, the purpose for which the data resource was collected.

<?xml version="1.0" encoding="UTF-8"?>
<Rule xmlns="urn:oasis:xacml:2.0:policy:schema:wd:06"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:xacml:2.0:policy:schema:wd:06
D:\MYDATA~1\Standards\xacml\v2.0\DRD2FC~1\oasis-xacml-2_0-policy-schema-
wd-0
6.xsd" RuleId=" urn:oasis:names:tc:xacml:2.0:matching-purpose"
Effect="Permit">
	<Condition
FunctionId="urn:oasis:names:tc:xacml:2.0:function:regexp-string-match">
		<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
		<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
	</Condition>
</Rule>

-----------------------------------------------------------------
Tim Moses
613.270.3183

To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro
up.php.