OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Groups - Changes Since XACML 1.0 (xacml_1.x_2.0_diffs_draft.doc) uploaded



>Could you clarify what you mean by "policy recombination algorithms"?
>Is this just another term for "policy combining algorithms"?  Could you
>give a concrete example of how XQuery would be used to express
something
>like Deny-Overrides?


Yes, sorry for the incorrect term.

XQuery may be used to define a particular algorithm in the following
way:

We define an element type for a result of a rule. Trivial example (real
schema should include all parameters etc):

<ruleresult><effect>DENY</effect></ruleresult>

We define schema for the policy result, something like:
<policyresult>PERMIT</policyresult>


Then we require to express the recombination algorithm as an XQuery
function taking a sequence of <ruleresult> elements (and whatever else
needed, including, possibly a reference to the request document) and
returning a <policyresult> (Not correct, just a rough example)

declare function xacml:deny-or-permit($rr as
schema-element(xacml:ruleresult)*) as schema-element(xacml:policyresult)
{
  <policyresult>
      {
       (: whatever logic is required to determine what to return, like
:)
       
        if (fn:empty($rr[effect eq "DENY"])) then "PERMIT" else "DENY"

      }
  </policyresult>
};

Obviously, any implementation of such an algorithm does not need to
actually created XML document and run an XQuery processor, but using
such a general purpose language may allow for interoperability of custom
recombination algorithms.

Just a thought - maybe we can briefly discuss that at a focus group or
over e-mail.

Daniel;





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]