[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] WI #18 Obligation in Rules
I would like to resubmit the proposal on WI#18 that was originally posted last May (2003). I added the discussion at the bottom. Original proposal: http://lists.oasis-open.org/archives/xacml/200305/msg00006.html Some discussions: http://lists.oasis-open.org/archives/xacml/200402/msg00013.html http://lists.oasis-open.org/archives/xacml/200404/msg00007.html =========================================================== Work Item #18: Obligation in Rules: Proposed XACML 2.0 Solution for Obligations in Rule element Problem Description =================== XACML 1.0 allows a PolicySet and Policy to include Obligations element but does not allow a Rule to include it. Allowing Obligations element to Rules could make Policies shorter, particularly when each Rule has the identical target description but different condition expression. In more detail, please refer to http://lists.oasis-open.org/archives/xacml/200303/msg00006.html Proposal ======== Allow XACML <Rule> elements to contains <Obligations> element. There is no need to define new schema or new schema type. <xs:element name="Rule" type="xacml:RuleType"/> <xs:complexType name="RuleType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Target" minOccurs="0"/> <xs:element ref="xacml:Condition" minOccurs="0"/> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="RuleId" type="xs:anyURI" use="required"/> <xs:attribute name="Effect" type="xacml:EffectType" use="required"/> </xs:complexType> Text changes ========== 1. The description of Section 7.11 only needs small modification such that text changes from "PolicySet and Policy may contain one or more obligations" to "PolicySet, Policy and Rule may contain one or more obligations". 2. The description of combining algorithm needs small modification like just inserting one line text "Obligations of the individual rules shall be combined as described in Section 7.11." before line 4695. (may need more changes...) Discussion ========== 1. Obligation may make the XACML policy non-deterministic if non-deterministic combining algorithms (either deny-overrides or permit-overrides) are used. This non-deterministic property is already implied in the current spec (1.0). Some people prefer deterministic property. One of the solution would be to write a text something like "when a policy writer writes XACML policy with obligations, deny-overrides or permit- overrides may policy non-deterministic. If it is not desirable, deterministic algorithm such as ordered-deny-overrides and ordered-permit-overrides should be used" in Section 7.11 and Appendix C. 2. Since the Obligations element is optional, this extension affects only implementations that supports obligations. Best, Michiharu
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]