OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Attribute categories.


Doh! (...I guess I did not like the existing multiple subject design so
much that I subconsciously omitted it :) )

We should add this, but it should be made in some abstract form, for
example by adding a disjunctive match grouping.  (We can pick up a nice
name for that element - suggestions?)
How about something like:
<Target>
   <DisjunctiveMatch>
	<Match MatchId="...equals">
       <AttributeDesignator Category="XXX">
     </Match>
     <Match MatchId="...equals">
       <AttributeDesignator Category="XXX">
     </Match>
   </DisjunctiveMatch>
   <Match>...
   </Match>
</Target>

With semantics that anything inside the DisjunctiveMatch  is ORed, and
the rest is AND.  There is no need to restrict this only to the former
subject categories.
That will allow to map existing subject matches into the new schema.

Daniel;

-----Original Message-----
From: Anne Anderson - Sun Microsystems [mailto:Anne.Anderson@sun.com] 
Sent: Wednesday, October 04, 2006 7:42 AM
To: xacml@lists.oasis-open.org
Subject: Re: [xacml] Attribute categories.

I think this is a mistake in the new attribute categories schema.  There

should be an element corresponding to <Subjects>, <Resources>, ... that 
identifies a category under which the enclosed groupings fall.  Then 
there should be an element corresponding to <Subject>, <Resource>, ... 
that identifies a specific instance of an entity in that category to 
which all the enclosed <Match> elements must apply.

Fixing this mistake will be necessary for backwards compatibility, and 
also to retain functionality for specifying groupings of attributes that

must apply to a specific entity.

Regards,
Anne

Erik Rissanen wrote On 10/04/06 10:36,:
> All,
> 
> I just noticed that, if I understand this correctly, it not possible
to
> write a disjunction in the target with the new attribute categories
> schema. In XACML 2.0 you can write:
> 
> <Target>
>   <Subjects>
>     <Subject>
>        <SubjectMatch MatchId="...equals">
>          <SubjectAttributeDesignator>
>               ...A...
>        </SubjectMatch>
>     </Subject>
>     <Subject>
>        <SubjectMatch MatchId="...equals">
>          <SubjectAttributeDesignator>
>               ...B...
>        </SubjectMatch>
>     </Subject>
>   </Subjects>
> </Target>
> 
> and a request with either subject A or B would match.
> 
> In the new attribute categories schema the Match appears directly
below
> Target:
> 
> <Target>
>   <Match MatchId="...equals">
>     <AttributeDesignator Category="Subject">
>        ...A...
>   </Match>
> </Target>
> 
> so it is no longer possible to write a disjunction. Did I understand
it
> correctly?
> 
> Regards,
> Erik
> 
> Daniel Engovatov wrote:
> 
>>Attached is a version of the request and policy schemas implementing
>>extensible attribute categories proposal, as we discussed it.
>>I also attached some rendering of the changed schema type.
>>Could this be uploaded somewhere, so that I can link it from wiki and
>>write descriptions for all the changes?
>>
>>Daniel;
>>
>>  
> 
> 
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692
_______________________________________________________________________
Notice:  This email message, together with any attachments, may contain
information  of  BEA Systems,  Inc.,  its subsidiaries  and  affiliated
entities,  that may be confidential,  proprietary,  copyrighted  and/or
legally privileged, and is intended solely for the use of the individual
or entity named in this message. If you are not the intended recipient,
and have received this message in error, please immediately return this
by email and then delete it.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]