[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issues with the Access Permitted feature
All, There are some issues with the Access Permitted feature as it is in the current draft (delegation wd 16, section 9). It says that the access permitted function takes a parameter of string type which shall be interpreted as the XML content of an <Attributes> element of Category “Subject”. However, there is no special category “Subject” in the generalized form of XACML 3.0. Each subject category is now its own attribute category. Is it intended to be the access-subject? Another alternative is that the parameter to the function may contain a number of <Attributes> elements with identified categories, and the supplied <Attributes> elements replace the corresponding elements from the request context, to form the recursive request. Would this solve the intended use cases? However, I think this form is NP-complete. (I have a sketch for a proof in my head, but I haven't it in writing, so I might have missed something.) Also, it says in the section on Access Permitted in the delegation draft that it should be moved to the core. I don't remember why it says so. Should it be in the core or the delegation draft? In principle it could stand on its own in the core, but the functionality is somewhat similar to delegation. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]