OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [xacml] WI #18 Obligation in Rules






I would like to resubmit the proposal on WI#18 that was originally posted
last May (2003). I added the discussion at the bottom.

Original proposal:
http://lists.oasis-open.org/archives/xacml/200305/msg00006.html

Some discussions:
http://lists.oasis-open.org/archives/xacml/200402/msg00013.html
http://lists.oasis-open.org/archives/xacml/200404/msg00007.html

===========================================================
Work Item #18: Obligation in Rules:

Proposed XACML 2.0 Solution for Obligations in Rule element

Problem Description
===================

XACML 1.0 allows a PolicySet and Policy to include Obligations
element but does not allow a Rule to include it.
Allowing Obligations element to Rules could make Policies shorter,
particularly when each Rule has the identical target description
but different condition expression. In more detail, please refer to
http://lists.oasis-open.org/archives/xacml/200303/msg00006.html

Proposal
========

Allow XACML <Rule> elements to contains <Obligations> element.
There is no need to define new schema or new schema type.

<xs:element name="Rule" type="xacml:RuleType"/>
<xs:complexType name="RuleType">
      <xs:sequence>
            <xs:element ref="xacml:Description" minOccurs="0"/>
            <xs:element ref="xacml:Target" minOccurs="0"/>
            <xs:element ref="xacml:Condition" minOccurs="0"/>
            <xs:element ref="xacml:Obligations" minOccurs="0"/>
      </xs:sequence>
      <xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
      <xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
</xs:complexType>

Text changes
==========
1. The description of Section 7.11 only needs small
modification such that text changes from "PolicySet and Policy may
contain one or more obligations" to "PolicySet, Policy and Rule may
contain one or more obligations".

2. The description of combining algorithm needs small modification
like just inserting one line text "Obligations of the individual
rules shall be combined as described in Section 7.11." before
line 4695.

(may need more changes...)

Discussion
==========
1. Obligation may make the XACML policy non-deterministic
if non-deterministic combining algorithms (either deny-overrides or
permit-overrides) are used. This non-deterministic property is
already implied in the current spec (1.0).

Some people prefer deterministic property. One of the solution
would be to write a text something like "when a policy writer
writes XACML policy with obligations, deny-overrides or permit-
overrides may policy non-deterministic. If it is not desirable,
deterministic algorithm such as ordered-deny-overrides and
ordered-permit-overrides should be used" in Section 7.11 and
Appendix C.

2. Since the Obligations element is optional, this extension
affects only implementations that supports obligations.

Best,
Michiharu



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]