Proposal for Access Permitted (Issue 23)

["Hal Lockhart" <hlockhar@bea.com>]

I propose adding the following to Appendix A, section 3.

----
o     urn:oasis:names:tc:xacml:3.0:function:access-permitted

This function SHALL take an "http://www.w3.org/2001/XMLSchema#string"; as
an argument, which SHALL be interpreted as the XML content of a
<Subject> element, and evaluates to an
"http://www.w3.org/2001/XMLSchema#boolean";. This function SHALL return
"True" if and only if the policy evaluation described below returns the
value of "Permit".

The following evaluation is described as if the context is actually
instantiated, but as noted in section 6.1, it is only required that an
equivalent result be obtained.

The function SHALL construct a new context, by copying all the
information from the current context, omitting any <Subject> element
which has either no subject category attribute or a subject category
attribute with the value of
"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject". The
function argument SHALL be added to the context as the content of a
<Subject> element.

The function SHALL invoke a complete policy evaluation using the newly
constructed context. This evaluation SHALL be completely isolated from
the evaluation which invoked the function, but shall use all current
policies and combining algorithms, including per request policies.
----

Open issues:

1. Does anyone see a requirement to be able to specify more than one
access subject to this function?

2. The wording will have to be changed, assuming we adopt the open
context model.

3. Not sure which subsection of A.3 this goes in, perhaps a new one.

Comments requested.

Hal