OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Attribute Assertions in XACML request

Regarding Gregory Neven's proposal for attribute conditions in the
request context:

Greg's approach to put the full <Condition> element syntax in a SAML
assertion would work.  But a simple change to the <Attribute> element
structure in the request would also work.

<Request>
...
<Attribute AttributeId="example:bday" DataType="date-time">
  <AttributeAssertion
FunctionId="...date-less-than">1990-10-01</AttributeAssertion>
</Attribute>
...
</Request>

We allow <AttributeAssertion> in place of <AttributeValue>, and move
DataType to the parent element.  We re-use the function identifiers
already defined in XACML.

<AttributeValue> is actually a degenerate case of attribute assertion,
which only allows equality, or name-value pairs.  <AttributeAssertion>
generalizes this to allow other predicates besides equality.
<AttributeAssertion FunctionId="...equals"> would be the semantic
equivalent of <AttributeValue> for each datatype.

In keeping with the bag-of-attribute-values paradigm for the request
context, we would probably have to assume a bag-of-attribute-assertions
as well.  While it is OK to put the "one-and-only" restriction on
birth-date, it might be quite reasonable to have several assertions
about birth-date.

(Actually this example is a bit more complicated.  You probably don't
really want to write rules about birth-date.  The laws or business rules
are about age, so your rule condition would say "age >= 18".  But the
request context might only have values or assertions about birth-dates.
In that case the PDP needs additional information to reach a decision.
That's another interesting topic.) 

No change to the policy language is required; however, section 7 of the
spec would have to specify the required behavior, which might be tricky.
A PDP implementation could, for example, use a Prolog library to test a
rule condition, "bday < 1992-10-22" against the assertion "bday <
1990-10-01" to return "true".  But this sort of inference depends on
axioms and rules of deduction outside of XACML.

I don't have Greg's email.  If anyone has his email, please forward to
him.

Regards,
--Paul

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]