OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issue 76, multiple conditions

All,

Issue 76 proposes that there should be a way to write a condition on 
multiple elements in an XACML request. Reading the issue more carefully 
reveals that there are two different functional requirements.

1) To be able to specify multiple conditions on individual <Attributes> 
groups of which there are multiple instances in an XACML 3.0 XACML Request.

For instance, the following request (in pseudo XACML):

<Request>
  <Attributes category="intermediate-subject">
    <Attribute>role=foo</Attribute>
    ...
  </Attributes>
  <Attributes category="intermediate-subject">
    <Attribute>role=bar</Attribute>
    ...
  </Attributes>

In this case it would be desirable to write a condition requiring that 
both of them would have the role "foo".

In case of this proposed functionality, the premises are incorrect. Such 
a request is not a valid XACML request. Neither 2.0 or 3.0 has the 
concept of multiple <Attributes> elements in the same category, except 
in the case of the multiple resource profile, in which case it means 
that the PDP should do multiple individual requests.

2) To be able to specify multiple conditions on individual subtrees 
within an XML document.

For instance (taken from the issues list on the wiki) "it may be useful 
to require that ALL <JobHistory> elements MUST contain both a <Salary> 
element with value greater than or equal to 30000 AND a <YearsHeld> 
element with value greater than or equal to 2."

I agree that this is desirable, but I think this can already be done 
with xpath. Here is a rough attempt, though I doubt I got it entirely 
right from the syntax point of view and it doesn't handle all possible 
corner cases (such as missing Salary/YearsHeld elements):

fn:empty(//JobHistory[Salary < 30000 or YearsHeld < 2])

I propose that issue 76 is closed with no action because it either 
proposes functionality which does not fit the core schema or the same 
thing can be achieved with the existing XPath functions.

Best regards,
Erik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]