[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Policy Template Profile Examples
Steven, You are absolutely correct. This target specification contribute to the "policy by reference" profile (https://wiki.oasis-open.org/xacml/Policy%20Reference%20Profile), which is orthogonal to the current discussion on policy templates. I will remove this from any further example to avoid confusion and allow to concentrate in one topic at a time. Jean-Paul -----Original Message----- From: Steven Legg [mailto:steven.legg@viewds.com] Sent: Thursday, October 11, 2012 05:35 To: Jean-Paul Buu-Sao Cc: XACML-TC-mailinglist Subject: Policy Template Profile Examples Jean-Paul, What purpose does the target in the policy in section 1 of the Policy Template Profile Examples serve ? <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:curtiss:ba:taa:taa-1.1</AttributeValue> <AttributeDesignator MustBePresent="true" Category="urn:oasis:names:tc:xacml:1.0:resource:policy-id" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:policy-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Match> </AllOf> </AnyOf> </Target> It is testing whether the policy-id XACML attribute is equal to the PolicyId XML attribute of the containing policy. In order for this policy to be considered in the evaluation of an authorization request, the authorization request would have to include "urn:curtiss:ba:taa:taa-1.1" as a value of this policy-id XACML attribute. Or in other words, the PEP has to predict which policies are going to be evaluated to satisfy its authorization request before it makes its request (it pretty much has to work out the answer before it asks the question!). That's daft, so I've disregarded the targets as a mistake. However, their continued presence may be contributing to the confusion around the Policy Template Profile. I believe this target, and every other target in the examples, should be wiped clean and the PolicyIdOnResource parameter removed. Do you agree ? Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]