[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Groups - Changes Since XACML 1.0 (xacml_1.x_2.0_diffs_draft.doc) uploaded
P.S. Obviously I meant rule-combining algorithm in an example :) Same for policy combining. Daniel; -----Original Message----- From: Daniel Engovatov Sent: Thursday, June 23, 2005 2:27 PM To: Anne.Anderson@sun.com Cc: xacml@lists.oasis-open.org Subject: RE: [xacml] Groups - Changes Since XACML 1.0 (xacml_1.x_2.0_diffs_draft.doc) uploaded >Could you clarify what you mean by "policy recombination algorithms"? >Is this just another term for "policy combining algorithms"? Could you >give a concrete example of how XQuery would be used to express something >like Deny-Overrides? Yes, sorry for the incorrect term. XQuery may be used to define a particular algorithm in the following way: We define an element type for a result of a rule. Trivial example (real schema should include all parameters etc): <ruleresult><effect>DENY</effect></ruleresult> We define schema for the policy result, something like: <policyresult>PERMIT</policyresult> Then we require to express the recombination algorithm as an XQuery function taking a sequence of <ruleresult> elements (and whatever else needed, including, possibly a reference to the request document) and returning a <policyresult> (Not correct, just a rough example) declare function xacml:deny-or-permit($rr as schema-element(xacml:ruleresult)*) as schema-element(xacml:policyresult) { <policyresult> { (: whatever logic is required to determine what to return, like :) if (fn:empty($rr[effect eq "DENY"])) then "PERMIT" else "DENY" } </policyresult> }; Obviously, any implementation of such an algorithm does not need to actually created XML document and run an XQuery processor, but using such a general purpose language may allow for interoperability of custom recombination algorithms. Just a thought - maybe we can briefly discuss that at a focus group or over e-mail. Daniel; --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]