[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Attribute categories.
I am not sure about limiting DisjunctiveMatch to a single category:
Subjects will be in different categories, and there is no strong reason
to limit this. We will be basically adding some basic Boolean logic to
match combinations - we could actually make it fully generic and add
nesting <AND> and <OR> operations on the <MATCH>, but that would
probably be a bit of an overkill, so keeping it to one level should be
OK.
I would rather keep it in the simplest possible form that allows mapping
of the old Subject - let's discuss it during the next call.
Daniel;
-----Original Message-----
From: Anne Anderson - Sun Microsystems [mailto:Anne.Anderson@sun.com]
Sent: Wednesday, October 04, 2006 12:20 PM
To: xacml@lists.oasis-open.org
Subject: Re: [xacml] Attribute categories.
Hi Daniel,
I did not mean to imply that we would still have <SUBJECTS>, <SUBJECT>,
..., but that corresponding abstractions are needed: groups of targets
that fall within a single category, and single instances of a target in
that category to which multiple matches must apply.
So, building on your example, here is what would be needed, with the
<Target> itself implying a conjunctive match of the enclosed
<DisjunctiveMatch> elements:
<Target>
<DisjunctiveMatch CategoryId="..:a">
<ConjunctiveMatch>
<Match> ...</Match>
<Match> ...</Match>
</ConjunctiveMatch>
<ConjunctiveMatch>
<Match> ...</Match>
<Match> ...</Match>
</ConjunctiveMatch>
<ConjunctiveMatch>
<Match> ...</Match>
<Match> ...</Match>
</ConjunctiveMatch>
</DisjunctiveMatch>
<DisjunctiveMatch CategoryId="..:b">
<ConjunctiveMatch>
<Match> ...</Match>
<Match> ...</Match>
</ConjunctiveMatch>
</DisjunctiveMatch>
...
</Target>
Regards,
Anne
Daniel Engovatov wrote On 10/04/06 13:41,:
> Doh! (...I guess I did not like the existing multiple subject design
so
> much that I subconsciously omitted it :) )
>
> We should add this, but it should be made in some abstract form, for
> example by adding a disjunctive match grouping. (We can pick up a
nice
> name for that element - suggestions?)
> How about something like:
> <Target>
> <DisjunctiveMatch>
> <Match MatchId="...equals">
> <AttributeDesignator Category="XXX">
> </Match>
> <Match MatchId="...equals">
> <AttributeDesignator Category="XXX">
> </Match>
> </DisjunctiveMatch>
> <Match>...
> </Match>
> </Target>
>
> With semantics that anything inside the DisjunctiveMatch is ORed, and
> the rest is AND. There is no need to restrict this only to the former
> subject categories.
> That will allow to map existing subject matches into the new schema.
>
> Daniel;
>
> -----Original Message-----
> From: Anne Anderson - Sun Microsystems [mailto:Anne.Anderson@sun.com]
> Sent: Wednesday, October 04, 2006 7:42 AM
> To: xacml@lists.oasis-open.org
> Subject: Re: [xacml] Attribute categories.
>
> I think this is a mistake in the new attribute categories schema.
There
>
> should be an element corresponding to <Subjects>, <Resources>, ...
that
> identifies a category under which the enclosed groupings fall. Then
> there should be an element corresponding to <Subject>, <Resource>, ...
> that identifies a specific instance of an entity in that category to
> which all the enclosed <Match> elements must apply.
>
> Fixing this mistake will be necessary for backwards compatibility, and
> also to retain functionality for specifying groupings of attributes
that
>
> must apply to a specific entity.
>
> Regards,
> Anne
>
> Erik Rissanen wrote On 10/04/06 10:36,:
>
>>All,
>>
>>I just noticed that, if I understand this correctly, it not possible
>
> to
>
>>write a disjunction in the target with the new attribute categories
>>schema. In XACML 2.0 you can write:
>>
>><Target>
>> <Subjects>
>> <Subject>
>> <SubjectMatch MatchId="...equals">
>> <SubjectAttributeDesignator>
>> ...A...
>> </SubjectMatch>
>> </Subject>
>> <Subject>
>> <SubjectMatch MatchId="...equals">
>> <SubjectAttributeDesignator>
>> ...B...
>> </SubjectMatch>
>> </Subject>
>> </Subjects>
>></Target>
>>
>>and a request with either subject A or B would match.
>>
>>In the new attribute categories schema the Match appears directly
>
> below
>
>>Target:
>>
>><Target>
>> <Match MatchId="...equals">
>> <AttributeDesignator Category="Subject">
>> ...A...
>> </Match>
>></Target>
>>
>>so it is no longer possible to write a disjunction. Did I understand
>
> it
>
>>correctly?
>>
>>Regards,
>>Erik
>>
>>Daniel Engovatov wrote:
>>
>>
>>>Attached is a version of the request and policy schemas implementing
>>>extensible attribute categories proposal, as we discussed it.
>>>I also attached some rendering of the changed schema type.
>>>Could this be uploaded somewhere, so that I can link it from wiki and
>>>write descriptions for all the changes?
>>>
>>>Daniel;
>>>
>>>
>>
>>
>>
>
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
_______________________________________________________________________
Notice: This email message, together with any attachments, may contain
information of BEA Systems, Inc., its subsidiaries and affiliated
entities, that may be confidential, proprietary, copyrighted and/or
legally privileged, and is intended solely for the use of the individual
or entity named in this message. If you are not the intended recipient,
and have received this message in error, please immediately return this
by email and then delete it.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]