[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposal for Access Permitted (Issue 23)
I propose adding the following to Appendix A, section 3. ---- o urn:oasis:names:tc:xacml:3.0:function:access-permitted This function SHALL take an "http://www.w3.org/2001/XMLSchema#string" as an argument, which SHALL be interpreted as the XML content of a <Subject> element, and evaluates to an "http://www.w3.org/2001/XMLSchema#boolean". This function SHALL return "True" if and only if the policy evaluation described below returns the value of "Permit". The following evaluation is described as if the context is actually instantiated, but as noted in section 6.1, it is only required that an equivalent result be obtained. The function SHALL construct a new context, by copying all the information from the current context, omitting any <Subject> element which has either no subject category attribute or a subject category attribute with the value of "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject". The function argument SHALL be added to the context as the content of a <Subject> element. The function SHALL invoke a complete policy evaluation using the newly constructed context. This evaluation SHALL be completely isolated from the evaluation which invoked the function, but shall use all current policies and combining algorithms, including per request policies. ---- Open issues: 1. Does anyone see a requirement to be able to specify more than one access subject to this function? 2. The wording will have to be changed, assuming we adopt the open context model. 3. Not sure which subsection of A.3 this goes in, perhaps a new one. Comments requested. Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]