OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [Fwd: [xacml-comment] About XACML Administrative policy draft]

The attached questions came in today on the xacml comments list. Here
are my answers to them:

1. Yes, you are correct. Having an indirect delegates condition inside a
target that does not match administrative request does not make sense.
However, there is nothing that disallows you from writing such a policy.
Personally, I don't think it is necessary to add such a restriction.
There are infinite ways to write policies that do not make sense, and I
don't think this case needs any special treatment.

Yes, you are also correct that there is no way to match any delegate.
This is a know problem with the current draft. See issue 33 at


Before we address this issue we are going to wait for the rewrite of the
core schema to allow arbitrary attribute categories.

2. Yes, you are correct, <IndirectDelegatesCondition> can only be used
inside a condition. This is be design since the target is primarily
intended for quick indexing/pruning, and the general opinion was that
there is no need to index on the indirect delegates.

Best regards,

--- Begin Message ---
Dear XACML CommitteeŁ¬ 
I have some questions on XACML administrative policy to clarify.

1. <Delegates> element is added to <Target>. So the <PolicySet> <Policy> and <Rule> could include it. <IndirectDelegatesCondition> mostly appears in the <Condition> of <Rule>. I think there exist a implicit relation between <Delegates> and <IndirectDelegatesCondtion>. If there doesn't exist <Delegates> in a policy, there shouldn't exist <IndirectDelegatesCondition> in <Rule>. The reason is that <IndirectDelegate>must not be present if the <Delegates> element is not present in context. There is another problem is that how we express any delegate. According to XACML normal logic, not present means any,like subject ,resource. But in the situation,we couldn't construct a request including only indirect delegate without delegate. I remember someone (sorry I forgot his/her name) suggested using <Delegates> <AnyDelegate> </Delegates> to express any delegate in target. I think it maybe solve it.

2. I can't image how to use <IndirectDelegatesCondtion> except in <Condition>. If <IndirectDelegatesCondition>  can be used outside <Condition> of rule, pls give me a simple example and explain it. Thanks.

Best Regards

Li XiaoFeng

Email:xiaofeng03 (at) iscas (dot) cn   lxf (at) is (dot) iscas (dot) ac (dot) cn
Department:LOIS,Institute of Software Chinese Academy of Sciences
Address:4# South Fourth Street, Zhong Guan Cun, Beijing,P.R. CHINA

--- End Message ---

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]