OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Updated policy template wiki

Thanks Steven for pointing out the issues on terminology. I tied it up, to express that: 
  Policy-Template-Reduction( Policy Template,  Policy Template Data) = Policy Template Instance


I leave to Danny and Steven to arrive at a conclusion of the parameterization of  <Match> expressions.


-----Original Message-----
From: Steven Legg [mailto:steven.legg@viewds.com] 
Sent: Friday, September 21, 2012 02:22
To: Danny Thorpe
Cc: Jean-Paul Buu-Sao; xacml@lists.oasis-open.org
Subject: Re: [xacml] Updated policy template wiki

Hi Danny,

On 21/09/2012 4:25 AM, Danny Thorpe wrote:
> I've updated the policy template wiki 
> (https://wiki.oasis-open.org/xacml/Policy%20Template%20Profile) with 
> text about required Match expression rewriting in parameter 
> substitution and optional use of AttributeDesignators and AttributeSelectors in Parameter data in dynamic policy template reduction implementations.

With regard to the Match expression rewriting, the Match element is already, of necessity, a child of an AllOf element that is a child of an AnyOf element.
In the general case there may be other Match element children of the AllOf element and other AllOf children of the AnyOf element. It seems to me that the rewriting rule should be to create a duplicate of the AllOf element (with all of its Match children) for each parameter value, substituting the parameter in the particular Match element being expanded with the corresponding parameter value. The resulting AllOf elements would replace the original AllOf element that contains the Match element with the parameter being expanded. Apart from having its list of AllOf children expanded, the AnyOf element would be unchanged.

If an AllOf element contained multiple child Match elements with parameters, then the effect would be to take the cross-product of the sets of parameter values.

This assumes that the desired effect is a disjunction of the parameter values.
If a conjunction is desired, then the Match element would be duplicated within the single AllOf element that contains it, with each duplicate taking a different parameter value. The AllOf element and its parent AnyOf element would otherwise be unchanged.

Incidentally, I find the terminology section confusing. Policy template instance and policy template data seem to be the same thing and are used interchangeably.


> -Danny
> *Danny Thorpe *
> Product Architect | | *Quest Software*- /Now including the people and 
> products of BiTKOO/ | www.quest.com <http://www.quest.com>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]