[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issues 63, 71 and 77
All,
Issues 63 and 77 concern updating the multiple resources profile to work
with 3.0.
For issue 63 there is a proposed solution on the Wiki. I propose that we
adopt it.
It also solves issue 77. We simply drop the resource-id xml attribute
from the response and use the includeInResult xml attribute and return
full XACML attributes, which can be any datatype.
During the discussion of this solution Hal raised issue 71, "Treating
different subject categories as different entities". Do we want this in
3.0? I am not keen on it. It would require quite a bit of changes in the
schema and the specification text and the use cases are not clear to me.
For instance, new functions which can match multiple categories need to
be defined, the the behavior of the current Designators need to be
clarified in the context of multiple categories and some other way to do
multiple resources need to be devised.
Hal, do you have a proposal to do it? There is the MultipleCondition
(which was part of delegation for a while) and the function which Anne
presented at the F2F which you could start from.
Here is a copy of the proposed solution for issue 63 your convenience:
---8<---
Simplified, the multiple resources profile allows multiple Resource
elements in a request. These are then interpreted as if there were
multiple requests, which are evaluated individually. The Reponse will
contain multiple Results.
With generalization of attribute categories, the resource category is
not special anymore, so the multiple resources profile is broken. We
could solve that by making the resource category special, or by
generalizing the profile. I suggest that we generalize. Here is how we
could do so.
The first issue is the resource-id which is part of a Response. This is
used to know which response goes with which resource. If the resource-id
attribute is no longer special, how do we know which attributes to
include in the response, so the PEP knows which response is which? I
suggest that we specify a new XML attribute on XACML Attribute elements,
which is used to mark that it must be included in the response:
<Request>
<Attributes Category=”MyNiftyCategory”>
<Attribute AttributeId=”myIdAttr” includeInResult=”true”>
<AttributeValue>12345</AttributeValue>
</Attribute>
<Attributes>
<Attributes Category=”AnotherCategory”>
<Attribute AttributeId=”color”>
<AttributeValue>red</AttributeValue>
</Attribute>
<Attributes>
</Request>
We would then get something like this:
<Response>
<Result>
<Decision>Permit</Decision>
<Attributes Category=”MyNiftyCategory”>
<Attribute AttributeId=”myIdAttr” includeInResult=”true”>
<AttributeValue>12345</AttributeValue>
</Attribute>
<Attributes>
</Result>
</Response>
The second issue is to know which category is the “Resource”. I suggest
that one category can be repeated in the Attributes elements. The
meaning of this is that the PDP should run multiple requests, where each
repeated Attributes category is present only once and the rest of them
are the same for all requests. Like this:
<Request>
<Attributes Category=”MyNiftyCategory”>
<Attribute AttributeId=”myIdAttr” includeInResult=”true”>
<AttributeValue>12345</AttributeValue>
</Attribute>
<Attributes>
<Attributes Category=”MyNiftyCategory”>
<Attribute AttributeId=”myIdAttr” includeInResult=”true”>
<AttributeValue>ABC</AttributeValue>
</Attribute>
<Attributes>
<Attributes Category=”AnotherCategory”>
<Attribute AttributeId=”color”>
<AttributeValue>red</AttributeValue>
</Attribute>
<Attributes>
</Request>
This would be the same as the two separate requests:
<Request>
<Attributes Category=”MyNiftyCategory”>
<Attribute AttributeId=”myIdAttr” includeInResult=”true”>
<AttributeValue>ABC</AttributeValue>
</Attribute>
<Attributes>
<Attributes Category=”AnotherCategory”>
<Attribute AttributeId=”color”>
<AttributeValue>red</AttributeValue>
</Attribute>
<Attributes>
</Request>
<Request>
<Attributes Category=”MyNiftyCategory”>
<Attribute AttributeId=”myIdAttr” includeInResult=”true”>
<AttributeValue>12345</AttributeValue>
</Attribute>
<Attributes>
<Attributes Category=”AnotherCategory”>
<Attribute AttributeId=”color”>
<AttributeValue>red</AttributeValue>
</Attribute>
<Attributes>
</Request>
If there are two or more categories which are repeated, then it is an error.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]