Changelog for public review

[Erik Rissanen <erik@axiomatics.com>]

All,

Here are all the changes we have made in the specs since the previous 
public review.


Cross references across the specs have been updated in all specs as well 
the copyright date.


xacml-3.0-core-spec and the core schema:

• Clarified glossary definition of “obligation” it also mentions that 
obligations can occur in rules.

• Clarified glossary definitions of “policy”, “rule” and “policy set” so 
they mention that they can contain advice (and obligations for rules).

• Updated reference to XML spec to fifth edition.

• Clarified introductory section (2.3) to combining algorithms.

• Improved consistency in text regarding obligation/advice vs 
obligation/advice expressions.

• Improved consistency in text about that advice/obligations can occur 
in rules.

• Correct errors in the example policies and requests.

• Misc improvements in wording and correction of typos in various places 
(no substantive changes).

• Corrected definition of elements <Rule>, <Policy> and <PolicySet> so 
they correctly reference obligation and advice expressions.

• Made a reference to PEP bias from definition of <PolicySet>, instead 
of incorrectly mandating a “Deny” in the PEP in case of obligation failure.

• Allow <AttributeAssignmentExpression> to evaluate to a bag.

• Removed redundant occurrence indicators from the RequestType schema 
definition.

• Removed note about XPath 2.0 expert review.

• Clarified error behavior of advice/obligations.

• Added AdviceId as part of the extensibility list in section 8.1.

• Renamed functions uri-starts-with to anyURI-starts-with, uri-ends-with 
to anyURI-ends-with, uri-contains to anyURI-contains and uri-substring 
to anyURI-substring

• Fixed typos which referenced non-existing data types 
urn:…:xacml:…*duration.

• Reversed the arguments of the string-starts-with, string-ends-with, 
string-contains, anyURI-starts-with, anyURI-ends-with and 
anyURI-contains functions.

• Clarified error behavior of the string-substring and anyURI-substring 
functions.

• Generalized the xpath-node-match function so it can select any XML 
node type.

• Removed the obsolete attribute id 
urn:oasis:names:tc:xacml:1.0:resource:xpath

• Make it clear that an attribute selector may select an element node.

• Fixed formatting of OASIS spec references so they correspond to the 
OASIS template.

• Added an optional “offset” to <AttributeSelector> in the form of the 
ContextSelectorId XML attribute.

• Improved and moved text about the <AttributeSelector>.

• Simplified the schema of <PolicyIdentifierList>

• Removed text which says that the XACML conformance tests are hosted on 
the Sun website.

• Added references to sections 5, 6, 7, A, B and C in conformance section.

• Made the evaluation context of xpaths better specified.

• Make text about multiple arguments in the multiply functions more 
consistent.

• Generalized the any-of, all-of, any-of-any and map functions to 
functions with more arguments.

• Removed an unnecessary reference to SAML in section B.4. 
(Authentication credentials can come from other sources as well in 
general, so the reference to SAML was too restrictive.)

• Updated Acknowledgements.

• Restrict <Content> to a single child element.

• Replace the EntireHierarchy multiple decision combining mechanism with 
a more restricted scheme controlled by the CombinedDecision XML 
attribute in the <Request> element.

• Fixed errors in the reference section.

• Updated cross references to the profiles.

• Removed reference to “leaf” nodes in section 7.3.2 since this was 
unnecessary restriction.

• Removed statement in section B.4 which said that the subject-id is a 
string by default.



xacml-3.0-administration-v1-spec:

• Updated Acknowledgements.

• Fixed formatting of OASIS spec references so they correspond to the 
OASIS template.

• Fix typos.

• Fix errors in examples.


xacml-3.0-dsig-v1-spec:

• Updated Acknowledgements.

• Fixed formatting of OASIS spec references so they correspond to the 
OASIS template.

• Fixed a broken bookmark in a reference.


xacml-3.0-hierarchical-v1-spec:

• Updated Acknowledgements.

• Fixed formatting of OASIS spec references so they correspond to the 
OASIS template.

• Fixed typos.

• Fix 2.0 -> 3.0 typos in some identifiers.

• Improved formatting conventions.

• Updated reference to RFC 3986 (was RFC 2396).

• Clarified meaning of the profile identifiers (they are only metadata 
about the functionality).

• Improved the URI scheme with XML node pointers.

• Use content-selector instead of resource-id for the XML/XPath scheme.

• Don’t specify the “ancestor attributes” in the XML/XPath scheme.



xacml-3.0-multiple-v1-spec:

• Updated Acknowledgements.

• Fixed formatting of OASIS spec references so they correspond to the 
OASIS template.

• Changed name to “Multiple Decision Profile”

• Improved abstract.

• Updated all text to talk about “multiple decisions” instead of 
“multiple resources”

• The XML/XPath scheme uses now the content-selector and 
multiple:content-selector attributes instead of resource-id. This also 
generalizes the XML scheme to other categories than the resource.

• Clarified meaning of the profile identifiers (they are only metadata 
about the functionality).

• Separate the “ancestor scheme” and the XML scheme from each other, 
that is, don’t use the ancestor attributes for the XML scheme.

• Reworded some text to make it clearer.

• Drop the “EntireHierarchy” scope in favor of the new CombinedDecision 
XML attribute of the <Request> element.

• Added a new section which specifies the overall order of processing of 
the various schemes.

• Drop the XPathExpression scope in favor of the new 
multiple:content-selector attribute.

• Rename some of the schemes and the associated metadata identifiers.



xacml-3.0-privacy-v1-spec:

• Updated Acknowledgements.

• Fixed formatting of OASIS spec references so they correspond to the 
OASIS template.

• Fixed formatting issues.

• Fixed errors in the XML fragment.



xacml-3.0-rbac-v1-spec:

• Updated Acknowledgements.

• Fixed formatting of OASIS spec references so they correspond to the 
OASIS template.

• Clarified that a permission policy set may contain policy sets.

• Fixed formatting issues.

• Fixed errors in examples.


xacml-profile-saml2.0-v2-spec:

• Updated Acknowledgements.

• Fixed formatting of OASIS spec references so they correspond to the 
OASIS template.

• Added an extension point to the AuthZ query schema.

• Fix formatting issues.

• Removed a reference to a non-existing section.



In addition to the above, in all schema files:

• Fixed schema import cross reference URLs

• Fixed OASIS copyright


Best regards,
Erik