OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Summary of the 3 proposed syntaxes for Policy Template


Erik

 

The core specification says that “The <AttributeDesignator> element retrieves a bag of values for a named attribute from the request context”. Hence the scope for the resolution of the named attributes cannot be limited to the scope of the container <Policy> element alone, but is the one of the whole request context. It follows that you cannot compose a <PolicySet> with multiple parameterized <Policy>, in the case of name conflicts, unless there is some kind of naming convention introduced.

 

For example, the <PolicySet> below contains two <Policy> that are parameterized. There is a name-clash in the  named parameters “Organizations”:

 

<PolicySet PolicyId="urn:example:set1" … >

                <Policy PolicyId="urn:example:template1" … >

                                ...

                                <Condition>

                                                ...

                                                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">

                                                                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizations" MustBePresent="true">

                                                                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" MustBePresent="true"/>

                                                </Apply>

                                                ...

                                </Condition>

                                ...

                </Policy>

                <Policy PolicyId="urn:example:template1" … >

                                ...

                                <Condition>

                                                ...

                                                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">

                                                                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizations" MustBePresent="true">

                                                                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" MustBePresent="true"/>

                                                </Apply>

                                                ...

                                </Condition>

                                ...

                </Policy>

</PolicySet>

 

One must introduce a naming convention on the named parameters to establish the correct scope, such as:

 

<PolicySet PolicyId="urn:example:set1">

                <Policy PolicyId="urn:example:template1">

                                ...

                                <Condition>

                                                ...

                                                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">

                                                                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:example:template1:Organizations" MustBePresent="true">

                                                                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" MustBePresent="true"/>

                                                </Apply>

                                                ...

                                </Condition>

                                ...

                </Policy>

                <Policy PolicyId="urn:example:template2">

                                ...

                                <Condition>

                                                ...

                                                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">

                                                                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:example:template2:Organizations" MustBePresent="true">

                                                                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" MustBePresent="true"/>

                                                </Apply>

                                                ...

                                </Condition>

                                ...

                </Policy>

</PolicySet>

 

Would you confirm this analysis?

Thanks,

 

Jean-Paul

 

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Erik Rissanen
Sent: Friday, October 12, 2012 10:02
To: xacml@lists.oasis-open.org
Subject: Re: [xacml] Summary of the 3 proposed syntaxes for Policy Template

 

Jean-Paul,

Thanks for the summary. I might add that for the AttributeDesignator approach, I did not intend to do substitution in target <Match> elements. My point is to stay within the current XACML 3.0 core schema, and avoid any extra processin steps. Thus it would be a "con" to this approach that any targets need to be rewritten into conditions using the on-permit-apply-second algorithm.

Best regards,
Erik


On 2012-10-11 15:39, Jean-Paul Buu-Sao wrote:

Greetings

 

There has been an intense and healthy discussion around the syntax for Policy Templates recently, thanks to Danny Steven and Erik. I thought that I should summarize the various proposals on the Wiki:

https://wiki.oasis-open.org/xacml/Policy%20Template%20Syntactic%20Options

 

Danny, Steven, Erik, please apologize if I missed on of your points. I still have to double check that OOI have not forgotten anything against the email thread (I fact I have, but will correct before today close of business).

 

Thanks,

Jean-Paul

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]