OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Question on xacml 2.0 - multiple action-id Request/Actionelements


Hi all,

I don't think it's disallowed explicitly, but writing policy to handle it
well would be difficult.

For example, say the policy has  Permit for "read" but no policy allowing
"write" (but not Deny either).  The request, IMO, is asking "can I read AND
write this resource?".  Should the request be permitted?  The policy would
return Permit, even though it really should return NotApplicable.

The provisions to handle multiple Resources as separate requests are for
this type of scenario.

Thoughts?

Regards,
Craig

---
craig forster | staff software engineer
ibm australia development labs



                                                                                                                                  
  From:       Erik Rissanen <erik@axiomatics.com>                                                                                 
                                                                                                                                  
  To:         "Rich.Levinson" <rich.levinson@oracle.com>                                                                          
                                                                                                                                  
  Cc:         xacml <xacml@lists.oasis-open.org>                                                                                  
                                                                                                                                  
  Date:       18/09/2008 03:19                                                                                                    
                                                                                                                                  
  Subject:    Re: [xacml] Question on xacml 2.0 - multiple action-id Request/Action elements                                      
                                                                                                                                  





I don't recall anything in the standard which disallows it. Anyone else?

And I don't see any reason for disallowing it either.

/Erik

Rich.Levinson wrote:
> I have been asked whether a Request/Action element can
> contain more than one  <Attribute AttributeId="...action:action-id">
> element:
>
> For example, what would be wrong with Example 4.1.2 having
> the following:
>
> <Action>
>  <Attribute
> AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
>      DataType="http://www.w3.org/2001/XMLSchema#string";>
>    <AttributeValue>read</AttributeValue>
>    <AttributeValue>write</AttributeValue>
>  </Attribute>
> </Action>
>
> Apparently, some have the opinion this is not
> allowed. I think that opinion is mistaken, because I have not found
> any reason that this is disallowed. Is there anything that forces
> us to only have one value for action-id?
>
>     Thanks,
>     Rich
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php







[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]