[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Questions on Attributes in Specification
Rebekah - Please see below for proposed resolutions. All the best. Tim. -----Original Message----- From: Rebekah Lepro [mailto:rlepro@arc.nasa.gov] Sent: Wednesday, January 07, 2004 5:27 PM To: xacml Subject: [xacml] Questions on Attributes in Specification Happy Belated Holidays all... I'm working through my notes on "current usage of attributes within the XACML" specification to propose wording changes as per my work item. I have several questions that I'd like to pose to the committee to ensure my understanding of specification details before I complete my task. I've outlined these questions (and relevant line numbers below). Thank you for the insight! Rebekah ---- 1) ResourceAttributeDesignator (lines 2318 - 2327), ActionAttributeDesignator( 2343 - 2352) and EnvironmentAttributeDesignator (lines 2369 - 2378) all refer to "a bag containing all the (resource, action, environment) attribute values that are matched by the named (resource, action, environment) attribute. a) I presume this text corresponds to the description of the returned bag for an AttributeSelector as described in line 2448 - 2454? b) In the section for SubjectAttributeDesignator (lines 2268 - 2310), there is no mention of a bag returned containing the values even for a categorized subject. Does this imply a different processing requirement for SubjectAttributeDesignators? <TM> The text describing the various attribute designators (subject, resource, etc.) have been aligned in WS 06. The text for ResourceAttributeDesignator has been taken as the model, with adjustments to take subject categories into account. </TM> 2) Can an element be defined directly with the type AttributeDesignatorType or was the intention that this complex type definition serve only as the root of a type hierarchy? <TM> Resource, action and environment attribute designators are of type AttributeDesignatorType. SubjectAttributeDesignatorType extends AttributeDesignatorType by the addition of the subject-category attribute. </TM> 3) Lines 2445 - 2454 define processing rules that relate to the MustBePresent attribute of an AttributeSelector, including the required status code. No such constraint on the required status code is listed in lines 2264 - 2266 for AttributeDesignators. Should there mandatory status codes specified? <TM> It is proposed to move discussion of status-codes to a common section and reference that section from both the AttributeSelector and AttributeDesignator sections. </TM> 4) Line 2707 indicates that the data type of the AttributeValue MAY be specified by using the DataType attribute of the parent Attribute element. However, line 2683 indicates that DataType xml attribute of an Attribute element is mandatory. Is this a contradiction? <TM> It is proposed to change the MAY to a MUST. Then the data-type of an attribute MUST be identified in the <xacml-context:Attribute> element, not in its child <xacml-context:AttributeValue> element. </TM> 5) AttributeValueType. Lines 2456 - 2469 indicate that a DataType URI is a required xml attribute required for the complex type in the xacml namespace. Lines 2696 - 2708 indicate do not define such a required xml attribute for the AttributeValueType in the xacml-context namespace. Lines 3448 - 2469 of the Appendix state that an XACML <AttributeValue> element MAY contain an instance of a structured XML data type. Lines 3524 - 3525 says "The <AttributeValue> element SHALL represent an explict value of a primitive type. The example shows the use of an Attribute value element as the child of the <Apply> element. Lines 3534 - 3535 states "The <AttributeDesignator> and <AttributeSelector> elements SHALL evaluate to a bag of a specific primitive type. Do these different characterizations contradict? <TM> WARNING for the casual reader - there is an <AttributeValue> element defined in both the xacml and the xacml-context namespaces. <xacml:AttributeValue> elements do not occur as children of <xacml:Attribute> elements (no such element is defined). Therefore, the type of the attribute has to be associated with the value. Moreover, attributes used in this way are single-valued. <xacml-contect:AttributeValue> elements always occur as children of an <xacml-context:Attribute> element. These attributes can be multi-valued. Therefore, their type can be associated with the <xacml-context:Attribute> element. Elements of either type <xacml:AttributeValue> or <xacml-context:AttributeValue> may be structured. The restriction to primitive types will be corrected in WD06. </TM> 6) Is it reasonable to state that a named attribute appears in the context of Policy syntax but not Context syntax? <TM> I'll look for a suitable place to make this point. </TM> 7) Is the string equality requirement listed on line 2999 the string equality function defined at line 3643? <TM> Yes. I'll include text that makes this explicit. </TM> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.p hp.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]