[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] A problem with the Target
Argyn wrote: > Eric > > On 2/20/07, Erik Rissanen <mirty@sics.se> wrote: > >> However, this was possible with subject categories in 2.0. So we are no >> longer backwards compatible with 2.0. > > what do you mean by backwards compatibility in this case? That it is not possible to map/translate 2.0 policies into equivalent 3.0 policies. This has been a goal with the 3.0 work so there is an easy migration path and we cover all previous use cases. > if you send a document with this new element, it won't work in old > implementations anyway, if they are using schema validation or even > without it. > > also, do you keep these changes posted somewhere for others to review > the whole schema doc? No, I haven't posted it in full since it is work in progress, but everything is out there in fragments in the form of discussions and issues on the mailing list and the issues list on the wiki. I am attaching the schema file as it is currently for you to review, but this is not ready as a working draft 01 yet. Regards, Erik
<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-01" xmlns:xs="http://www.w3.org/2001/XMLSchema"; targetNamespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-01" elementFormDefault="qualified" attributeFormDefault="unqualified"> <!-- --> <xs:element name="Request" type="xacml:RequestType"/> <xs:complexType name="RequestType"> <xs:sequence minOccurs="0" maxOccurs="unbounded"> <xs:element ref="xacml:Attributes" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="Response" type="xacml:ResponseType"/> <xs:complexType name="ResponseType"> <xs:sequence> <xs:element ref="xacml:Result" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="Content" type="xacml:ContentType"/> <xs:complexType name="ContentType" mixed="true"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="id" type="xs:anyURI" use="optional"/> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:complexType> <!-- --> <xs:element name="Result" type="xacml:ResultType"/> <xs:complexType name="ResultType"> <xs:sequence> <xs:element ref="xacml:Decision"/> <xs:element ref="xacml:Status" minOccurs="0"/> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="ResourceId" type="xs:string" use="optional"/> </xs:complexType> <!-- --> <xs:element name="Decision" type="xacml:DecisionType"/> <xs:simpleType name="DecisionType"> <xs:restriction base="xs:string"> <xs:enumeration value="Permit"/> <xs:enumeration value="Deny"/> <xs:enumeration value="Indeterminate"/> <xs:enumeration value="NotApplicable"/> </xs:restriction> </xs:simpleType> <!-- --> <xs:element name="Status" type="xacml:StatusType"/> <xs:complexType name="StatusType"> <xs:sequence> <xs:element ref="xacml:StatusCode"/> <xs:element ref="xacml:StatusMessage" minOccurs="0"/> <xs:element ref="xacml:StatusDetail" minOccurs="0"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="StatusCode" type="xacml:StatusCodeType"/> <xs:complexType name="StatusCodeType"> <xs:sequence> <xs:element ref="xacml:StatusCode" minOccurs="0"/> </xs:sequence> <xs:attribute name="Value" type="xs:anyURI" use="required"/> </xs:complexType> <!-- --> <xs:element name="StatusMessage" type="xs:string"/> <!-- --> <xs:element name="StatusDetail" type="xacml:StatusDetailType"/> <xs:complexType name="StatusDetailType"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="MissingAttributeDetail" type="xacml:MissingAttributeDetailType"/> <xs:complexType name="MissingAttributeDetailType"> <xs:sequence> <xs:element ref="xacml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="Category" type="xs:anyURI" use="required"/> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:string" use="optional"/> </xs:complexType> <!-- --> <xs:element name="Attributes" type="xacml:AttributesType"/> <xs:complexType name="AttributesType"> <xs:sequence> <xs:element ref="xacml:Content" minOccurs="0"/> <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="Category" type="xs:anyURI" use="required"/> </xs:complexType> <!-- --> <xs:element name="Attribute" type="xacml:AttributeType"/> <xs:complexType name="AttributeType"> <xs:sequence> <xs:element ref="xacml:AttributeValue" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:string" use="optional"/> </xs:complexType> <!-- --> <xs:element name="Obligations" type="xacml:ObligationsType"/> <xs:complexType name="ObligationsType"> <xs:sequence> <xs:element ref="xacml:Obligation" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="Obligation" type="xacml:ObligationType"/> <xs:complexType name="ObligationType"> <xs:sequence> <xs:element ref="xacml:AttributeAssignment" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ObligationId" type="xs:anyURI" use="required"/> <xs:attribute name="FulfillOn" type="xacml:EffectType" use="required"/> </xs:complexType> <!-- --> <xs:element name="AttributeAssignment" type="xacml:AttributeAssignmentType"/> <xs:complexType name="AttributeAssignmentType" mixed="true"> <xs:complexContent mixed="true"> <xs:extension base="xacml:AttributeValueType"> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:simpleType name="EffectType"> <xs:restriction base="xs:string"> <xs:enumeration value="Permit"/> <xs:enumeration value="Deny"/> </xs:restriction> </xs:simpleType> <!-- --> <xs:element name="PolicySet" type="xacml:PolicySetType"/> <xs:complexType name="PolicySetType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:PolicyIssuer" minOccurs="0"/> <xs:element ref="xacml:PolicySetDefaults" minOccurs="0"/> <xs:element ref="xacml:Target"/> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element ref="xacml:PolicySet"/> <xs:element ref="xacml:Policy"/> <xs:element ref="xacml:PolicySetIdReference"/> <xs:element ref="xacml:PolicyIdReference"/> <xs:element ref="xacml:CombinerParameters"/> <xs:element ref="xacml:PolicyCombinerParameters"/> <xs:element ref="xacml:PolicySetCombinerParameters"/> </xs:choice> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="PolicySetId" type="xs:anyURI" use="required"/> <xs:attribute name="Version" type="xacml:VersionType" default="1.0"/> <xs:attribute name="PolicyCombiningAlgId" type="xs:anyURI" use="required"/> </xs:complexType> <!-- --> <xs:element name="PolicyIssuer" type="xacml:PolicyIssuerType"/> <xs:complexType name="PolicyIssuerType"> <xs:sequence> <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="CombinerParameters" type="xacml:CombinerParametersType"/> <xs:complexType name="CombinerParametersType"> <xs:sequence> <xs:element ref="xacml:CombinerParameter" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="CombinerParameter" type="xacml:CombinerParameterType"/> <xs:complexType name="CombinerParameterType"> <xs:sequence> <xs:element ref="xacml:AttributeValue"/> </xs:sequence> <xs:attribute name="ParameterName" type="xs:string" use="required"/> </xs:complexType> <!-- --> <xs:element name="RuleCombinerParameters" type="xacml:RuleCombinerParametersType"/> <xs:complexType name="RuleCombinerParametersType"> <xs:complexContent> <xs:extension base="xacml:CombinerParametersType"> <xs:attribute name="RuleIdRef" type="xs:string" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="PolicyCombinerParameters" type="xacml:PolicyCombinerParametersType"/> <xs:complexType name="PolicyCombinerParametersType"> <xs:complexContent> <xs:extension base="xacml:CombinerParametersType"> <xs:attribute name="PolicyIdRef" type="xs:anyURI" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="PolicySetCombinerParameters" type="xacml:PolicySetCombinerParametersType"/> <xs:complexType name="PolicySetCombinerParametersType"> <xs:complexContent> <xs:extension base="xacml:CombinerParametersType"> <xs:attribute name="PolicySetIdRef" type="xs:anyURI" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="PolicySetIdReference" type="xacml:IdReferenceType"/> <xs:element name="PolicyIdReference" type="xacml:IdReferenceType"/> <!-- --> <xs:element name="PolicySetDefaults" type="xacml:DefaultsType"/> <xs:element name="PolicyDefaults" type="xacml:DefaultsType"/> <xs:complexType name="DefaultsType"> <xs:sequence> <xs:choice> <xs:element ref="xacml:XPathVersion"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="XPathVersion" type="xs:anyURI"/> <!-- --> <xs:complexType name="IdReferenceType"> <xs:simpleContent> <xs:extension base="xs:anyURI"> <xs:attribute name="Version" type="xacml:VersionMatchType" use="optional"/> <xs:attribute name="EarliestVersion" type="xacml:VersionMatchType" use="optional"/> <xs:attribute name="LatestVersion" type="xacml:VersionMatchType" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <!-- --> <xs:simpleType name="VersionType"> <xs:restriction base="xs:string"> <xs:pattern value="(\d+\.)*\d+"/> </xs:restriction> </xs:simpleType> <!-- --> <xs:simpleType name="VersionMatchType"> <xs:restriction base="xs:string"> <xs:pattern value="((\d+|\*)\.)*(\d+|\*|\+)"/> </xs:restriction> </xs:simpleType> <!-- --> <xs:element name="Policy" type="xacml:PolicyType"/> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:PolicyIssuer" minOccurs="0"/> <xs:element ref="xacml:PolicyDefaults" minOccurs="0"/> <xs:element ref="xacml:CombinerParameters" minOccurs="0"/> <xs:element ref="xacml:Target"/> <xs:choice maxOccurs="unbounded"> <xs:element ref="xacml:CombinerParameters" minOccurs="0"/> <xs:element ref="xacml:RuleCombinerParameters" minOccurs="0"/> <xs:element ref="xacml:VariableDefinition"/> <xs:element ref="xacml:Rule"/> </xs:choice> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="PolicyId" type="xs:anyURI" use="required"/> <xs:attribute name="Version" type="xacml:VersionType" default="1.0"/> <xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use="required"/> </xs:complexType> <!-- --> <xs:element name="Description" type="xs:string"/> <!-- --> <xs:element name="Rule" type="xacml:RuleType"/> <xs:complexType name="RuleType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Target" minOccurs="0"/> <xs:element ref="xacml:Condition" minOccurs="0"/> </xs:sequence> <xs:attribute name="RuleId" type="xs:string" use="required"/> <xs:attribute name="Effect" type="xacml:EffectType" use="required"/> </xs:complexType> <!-- --> <xs:element name="Target" type="xacml:TargetType"/> <xs:complexType name="TargetType"> <xs:sequence minOccurs="0" maxOccurs="unbounded"> <xs:element ref="xacml:DisjunctiveMatch"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="DisjunctiveMatch" type="xacml:DisjunctiveMatchType"/> <xs:complexType name="DisjunctiveMatchType"> <xs:sequence minOccurs="1" maxOccurs="unbounded"> <xs:element ref="xacml:ConjunctiveMatch"/> </xs:sequence> <xs:attribute name="Category" type="xs:anyURI" use="required"/> </xs:complexType> <!-- --> <xs:element name="ConjunctiveMatch" type="xacml:ConjunctiveMatchType"/> <xs:complexType name="ConjunctiveMatchType"> <xs:sequence minOccurs="1" maxOccurs="unbounded"> <xs:element ref="xacml:Match"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="Match" type="xacml:MatchType"/> <xs:complexType name="MatchType"> <xs:sequence> <xs:element ref="xacml:AttributeValue"/> <xs:choice> <xs:element ref="xacml:AttributeDesignator"/> <xs:element ref="xacml:AttributeSelector"/> </xs:choice> </xs:sequence> <xs:attribute name="MatchId" type="xs:anyURI" use="required"/> </xs:complexType> <!-- --> <xs:element name="VariableDefinition" type="xacml:VariableDefinitionType"/> <xs:complexType name="VariableDefinitionType"> <xs:sequence> <xs:element ref="xacml:Expression"/> </xs:sequence> <xs:attribute name="VariableId" type="xs:string" use="required"/> </xs:complexType> <!-- --> <xs:element name="Expression" type="xacml:ExpressionType" abstract="true"/> <xs:complexType name="ExpressionType" abstract="true"/> <!-- --> <xs:element name="VariableReference" type="xacml:VariableReferenceType" substitutionGroup="xacml:Expression"/> <xs:complexType name="VariableReferenceType"> <xs:complexContent> <xs:extension base="xacml:ExpressionType"> <xs:attribute name="VariableId" type="xs:string" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="AttributeSelector" type="xacml:AttributeSelectorType" substitutionGroup="xacml:Expression"/> <xs:complexType name="AttributeSelectorType"> <xs:complexContent> <xs:extension base="xacml:ExpressionType"> <xs:attribute name="ContentId" type="xs:anyURI"/> <xs:attribute name="RequestContextPath" type="xs:string" use="required"/> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:attribute name="MustBePresent" type="xs:boolean" use="optional" default="false"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="AttributeDesignator" type="xacml:AttributeDesignatorType" substitutionGroup="xacml:Expression"/> <xs:complexType name="AttributeDesignatorType"> <xs:complexContent> <xs:extension base="xacml:ExpressionType"> <xs:attribute name="Category" type="xs:anyURI" use="required"/> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:string" use="optional"/> <xs:attribute name="MustBePresent" type="xs:boolean" use="optional" default="false"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="AttributeValue" type="xacml:AttributeValueType" substitutionGroup="xacml:Expression"/> <xs:complexType name="AttributeValueType" mixed="true"> <xs:complexContent mixed="true"> <xs:extension base="xacml:ExpressionType"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="Function" type="xacml:FunctionType" substitutionGroup="xacml:Expression"/> <xs:complexType name="FunctionType"> <xs:complexContent> <xs:extension base="xacml:ExpressionType"> <xs:attribute name="FunctionId" type="xs:anyURI" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="Condition" type="xacml:ConditionType"/> <xs:complexType name="ConditionType"> <xs:sequence> <xs:element ref="xacml:Expression"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="Apply" type="xacml:ApplyType" substitutionGroup="xacml:Expression"/> <xs:complexType name="ApplyType"> <xs:complexContent> <xs:extension base="xacml:ExpressionType"> <xs:sequence> <xs:element ref="xacml:Expression" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="FunctionId" type="xs:anyURI" use="required"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="MultipleCondition" type="xacml:MultipleConditionType" substitutionGroup="xacml:Expression"/> <xs:complexType name="MultipleConditionType"> <xs:complexContent> <xs:extension base="xacml:ExpressionType"> <xs:sequence> <xs:element ref="xacml:AttributeValue"/> </xs:sequence> <xs:attribute name="FunctionId" type="xs:anyURI" use="required"/> <xs:attribute name="Category" type="xs:anyURI" use="required"/> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:string" use="optional"/> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> </xs:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]