[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: CD-1 issue #25: meaning of "EntireHierarchy"
The issue number refers to the XLS-sheet found in this email: http://lists.oasis-open.org/archives/xacml/200909/msg00013.html The line numbers in the comment seem to be off, but I think he is referring to section 3.1. The commenter has misunderstood the meaning of the "EntireHierarchy" functionality. He thinks that the initial XPath expression is used to select a number nodes, and the each of these nodes is checked. However, the profile intends (unless I am mistaken) that the initial XPath expression selects a single node, and then access is checked for each descendant node to this node. I can see that the text is ambigious since it simply says (section 3.1.3) "For each node in the requested hierarchy", with no definition of what "requested hierarchy" is. I think we must improve the text to make it clear. I propose that we instead write "For the initial node selected by the resource-id and all descendant nodes" Best regards, Erik