[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Policy Template Profile Examples
Jean-Paul, What purpose does the target in the policy in section 1 of the Policy Template Profile Examples serve ? <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:curtiss:ba:taa:taa-1.1</AttributeValue> <AttributeDesignator MustBePresent="true" Category="urn:oasis:names:tc:xacml:1.0:resource:policy-id" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:policy-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Match> </AllOf> </AnyOf> </Target> It is testing whether the policy-id XACML attribute is equal to the PolicyId XML attribute of the containing policy. In order for this policy to be considered in the evaluation of an authorization request, the authorization request would have to include "urn:curtiss:ba:taa:taa-1.1" as a value of this policy-id XACML attribute. Or in other words, the PEP has to predict which policies are going to be evaluated to satisfy its authorization request before it makes its request (it pretty much has to work out the answer before it asks the question!). That's daft, so I've disregarded the targets as a mistake. However, their continued presence may be contributing to the confusion around the Policy Template Profile. I believe this target, and every other target in the examples, should be wiped clean and the PolicyIdOnResource parameter removed. Do you agree ? Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]