imperative syntax for generalized xacml

[Simon <sgodik@gluecode.com>]

Tim describes procedures as a 'set and sequence of  isolated imperatives 
and prohibitions'. Syntactically these are sequences of do's and do-not's
qualified by the action uri.

We'd like to qualify these expressions with ordered-or, any-of, and 
all-of semantics. These semantics are simple enough for the pep to 
understand.
For example, we can allow access to the system and with the 'ordered-or' 
enumerate a number of alternative actions a client must  perform,
with 'any-of'  enumerate any action a client must perform etc.

Imperatives can use ordered-or, any-of, all-of and prohibitions can use 
all-of semantics.

Syntactilcally, in addition to the imperative uri, we should be able to 
communicate a set of applicable parameters as name-value pairs.
xacml attribute-assignment element can be used for this.

<xs:element name="Do" type="xacml:ImperativeType"/>
<xs:element name="DoNot" type="xs:anyURI"/>

<xs:complexType name="ImperativeType">
<xs:sequence>
<xs:element ref="xacml:AttributeAssignment" minOccurs="0" 
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="uri" type="xs:anyURI" use="required"/>
</xs:complexType>

<xs:element name="DoSequence" type="ImperativeSequenceType"/>
<xs:complexType name="ImperativeSequenceType">
<xs:sequence>
<xs:element ref="xacml:Do" minOccurs="1" maxOccurs="unbounded"/> ==> at 
least one imperative
</xs:sequence>
<xs:attirubte name="combination" type="xs:anyURI"/> ==> ordered-or, 
any-of, all-of (we can define a type for it)
</xs:complexType>

<xs:complexType name="ProcedureType">
<xs:sequence>
<xs:element ref="xacml:DoSequence" minOccurs="0"/>
<xs:element ref="xacml:DoNot" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>

Procedure element is a child of Conclusion element.

Simon