[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Attribute Assertions in XACML request
Regarding Gregory Neven's proposal for attribute conditions in the request context: Greg's approach to put the full <Condition> element syntax in a SAML assertion would work. But a simple change to the <Attribute> element structure in the request would also work. <Request> ... <Attribute AttributeId="example:bday" DataType="date-time"> <AttributeAssertion FunctionId="...date-less-than">1990-10-01</AttributeAssertion> </Attribute> ... </Request> We allow <AttributeAssertion> in place of <AttributeValue>, and move DataType to the parent element. We re-use the function identifiers already defined in XACML. <AttributeValue> is actually a degenerate case of attribute assertion, which only allows equality, or name-value pairs. <AttributeAssertion> generalizes this to allow other predicates besides equality. <AttributeAssertion FunctionId="...equals"> would be the semantic equivalent of <AttributeValue> for each datatype. In keeping with the bag-of-attribute-values paradigm for the request context, we would probably have to assume a bag-of-attribute-assertions as well. While it is OK to put the "one-and-only" restriction on birth-date, it might be quite reasonable to have several assertions about birth-date. (Actually this example is a bit more complicated. You probably don't really want to write rules about birth-date. The laws or business rules are about age, so your rule condition would say "age >= 18". But the request context might only have values or assertions about birth-dates. In that case the PDP needs additional information to reach a decision. That's another interesting topic.) No change to the policy language is required; however, section 7 of the spec would have to specify the required behavior, which might be tricky. A PDP implementation could, for example, use a Prolog library to test a rule condition, "bday < 1992-10-22" against the assertion "bday < 1990-10-01" to return "true". But this sort of inference depends on axioms and rules of deduction outside of XACML. I don't have Greg's email. If anyone has his email, please forward to him. Regards, --Paul
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]