[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Policy Template Profile Examples
Jean-Paul,
What purpose does the target in the policy in section 1 of the Policy
Template Profile Examples serve ?
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:curtiss:ba:taa:taa-1.1</AttributeValue>
<AttributeDesignator
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:resource:policy-id"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:policy-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Match>
</AllOf>
</AnyOf>
</Target>
It is testing whether the policy-id XACML attribute is equal to the PolicyId
XML attribute of the containing policy.
In order for this policy to be considered in the evaluation of an authorization
request, the authorization request would have to include "urn:curtiss:ba:taa:taa-1.1"
as a value of this policy-id XACML attribute. Or in other words, the PEP has to
predict which policies are going to be evaluated to satisfy its authorization
request before it makes its request (it pretty much has to work out the answer
before it asks the question!). That's daft, so I've disregarded the targets as
a mistake. However, their continued presence may be contributing to the confusion
around the Policy Template Profile. I believe this target, and every other
target in the examples, should be wiped clean and the PolicyIdOnResource
parameter removed. Do you agree ?
Regards,
Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]