OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Is the choice element in Policy correct

Hi Rich,

I don't think there is anything which needs to be changed here. It's true that the schema is a bit weird in this respect. It's a carry over from 2.0, and does not represent any practical concern.

Empty policies are fine I think, though it does not really make sense to have an empty policy with variables since there would be no rule to use them.

But there is not really any issue in how to interpret any combination which the schema allows and there is no reason for a product to produce meaningless policies.

I would say that we keep it as it is.

Best regards,
Erik


On 2012-01-24 07:23, rich levinson wrote:
To TC:

We have been looking at the xsd for Policy and there is a central
"choice" element that does not appear correct, although for
mainstream Policies it probably does not show up.

The choice element is the following:
2028
<xs:choice maxOccurs="unbounded">
    <xs:element ref="xacml:CombinerParameters" minOccurs="0"/>
    <xs:element ref="xacml:RuleCombinerParameters" minOccurs="0"/>
    <xs:element ref="xacml:VariableDefinition"/>
    <xs:element ref="xacml:Rule"/>
</xs:choice>
This is the construct that allows multiple Rules in a Policy, which, looking at
the Rule element alone, seems ok, as default is minOccurs="1", and it
inherits maxOccurs="unbounded" from the choice element itself.

However, very little else about this element appears to make sense:
  1. Since this is a choice element, w minOccurs="1", one could choose any
    of the other 3 elements and nothing else, and the result would be a
    Policy with zero Rules. Does this make sense?
  2. With zero Rules, even if you used the Policy to define VariableDefinitions,
    they cannot be referenced outside the Policy, and since there are no
    Rules in the Policy, there is nothing that would ever use the
    VariableDefinitions.
  3. Does it make sense to have multiple instances of either CombinerParameters
    or RuleCombinerParameters? i.e. can't all the parameters be put in one
    element in both cases? If not then why are these elements in the choice
    block that allows unbounded instances?
Please advise as to whether the above interpretation is accurate. If so, we would
like to consider raising this as an issue for action.

    Thanks,
    Rich


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]