[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Multiple Decison Request Proposal
Hi Hal, I just realized that the CorrelationId will not work, and we need the IncludeInResult. The existing 2.0 multiple resource profile defines a few more modes of multiple requests than multiple <Resource> elements. For instance, it is possible to specify multiple request in the form of an xpath expression on the <ResourceContent>, where each node the xpath matches will generate an individual request. Like this for instance: 2 <Request 3 xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" 4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 5 xmlns:md="http://www.medico.com/schemas/record"; 6 xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" 7 xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os 8 access_control-xacml-2.0-context-schema-os.xsd"> 9 <Subject> 10 <Attribute 11 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 12 DataType="http://www.w3.org/2001/XMLSchema#string";> 13 <AttributeValue>Julius Hibbert</AttributeValue> 14 </Attribute> 15 </Subject> 16 <Resource> 17 <ResourceContent> 18 <md:record> 19 <md:patient_info> 20 <md:name>Bart Simpson</md:name> 21 <md:age>60</md:age> 22 <md:sex>male</md:sex> 23 <md:health_insurance>123456</md:health_insurance> 24 </md:patient_info> 25 <md:diagnosis_info> 26 <md:diagnosis> 27 <md:item type="primary">Gastric Cancer</md:item> 28 <md:item type="secondary">Hyper tension</md:item> 29 </md:diagnosis> 30 <md:pathological_diagnosis> 31 <md:diagnosis> 32 <md:item type="primary">Well differentiated adeno carcinoma</md:item> 33 </md:diagnosis> 34 <md:date>2000-10-05</md:date> 35 <md:malignancy type="yes"/> 36 </md:pathological_diagnosis> 37 </md:diagnosis_info> 38 </md:record> 39 </ResourceContent> 40 <Attribute\r 41 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 42 DataType="http://www.w3.org/2001/XMLSchema#string";> 43 <AttributeValue>*[local-name()='Resource'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='ResourceContent'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='record'][namespace-uri()='http://www.medico.com/schemas/record']/*[local-name()='patient_info'][namespace-uri()='http://www.medico.com/schemas/record']/*[self::*[local-name()='name'][namespace-uri()='http://www.medico.com/schemas/record'] or self::*[local-name()='age'][namespace-uri()='http://www.medico.com/schemas/record']]/descendant-or-self::node()</AttributeValue> 44 </Attribute> 45 <Attribute 46 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:scope" 47 DataType="http://www.w3.org/2001/XMLSchema#string";> 48 <AttributeValue>XPath-expression</AttributeValue> 49 </Attribute> 50 </Resource> 51 <Action> 52 <Attribute 53 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 54 DataType="http://www.w3.org/2001/XMLSchema#string";> 55 <AttributeValue>read</AttributeValue> 56 </Attribute> 57 </Action><Environment/></Request> From this request there will be multiple results, but there is only one <Resource> element. Each result will contain a specific ResourceId XML attribute for correlation purposes. In the corresponding 3.0 multiple request, it will be necessary to use the IncludeInResult since there are not multiple Attribute elements, which could be used for correlation, even if they had a CorrelationId. So I think we should drop the CorrelationId proposal, and if necessary, people will have to use a synthetic XACML attribute for correlation. Best regards, Erik Hal Lockhart wrote: > As of today's meeting I believe we are down to deciding how to do correlation. The alternative previously proposed is to use the IncludeInResponse mechanism. This may involve submitting synthetic attributes, not referenced by policy, simply to correlate requests and decisions. > > The new idea (at least to me) is to move my previously proposed XML Attribute - CorrelationID - to the <Attributes> element instead of having it in the <DecisionList> element. > > This seems clearer to me, but others should express their opinions. The new scheme would look something like this: > > <Request> > > <DecisionLists> > > <DecisionList> > > <ListReference URI="Sub1"/> > > <ListReference URI="Env"/> > > <ListReference URI="Res1"/> > > <ListReference URI="Act1"/> > > > </DecisionList> > > > <DecisionList> > > <ListReference URI="Sub1"/> > > <ListReference URI="Sub2"/> > > <ListReference URI="Env"/> > > <ListReference URI="Res2"/> > > <ListReference URI="Act2"/> > > </DecisionList> > > > <DecisionList> > > <ListReference URI="Sub3"/> > > <ListReference URI="Env"/> > > <ListReference URI="Res1"/> > > <ListReference URI="Act2"/> > > </DecisionList> > > > <DecisionList ... > > ... > > </DecisionList> > > > </DecisionLists> > > > <Attributes Category="Access_Subject" XML:Id="Sub1" CorrelationId="FirstSubject"> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > </Attributes> > > <Attributes Category="Intemediary_Subject" XML:Id="Sub2" CorrelationId="SecondSubject"> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > </Attributes> > > > <Attributes Category="Intemediary_Subject" XML:Id="Sub3" CorrelationId="ThirdSubject"> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > </Attributes> > > <Attributes Category="Environment" XML:Id="Env"> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > </Attributes> > > <Attributes Category="Resource" XML:Id="Res1" CorrelationId="FirstResource"> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > </Attributes> > > > <Attributes Category="Resource" XML:Id="Res2" CorrelationId="Secondresource"> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > </Attributes> > > <Attributes Category="Action" XML:Id="Act1" CorrelationId="FirstAction"> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > </Attributes> > > <Attributes Category="Action" XML:Id="Act2" CorrelationId="SecondAction"> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > <Attribute> > ... > </Attribute> > > </Attributes> > > > ... > > > </Request> > > > Hal > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]