[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Summary of the 3 proposed syntaxes for Policy Template
Erik The core specification says that “The <AttributeDesignator> element retrieves a bag of values for a named attribute from the request context”. Hence the scope for the resolution of the named attributes cannot be limited to the scope of the container <Policy> element alone, but is the one of the whole request context. It follows that you cannot compose a <PolicySet> with multiple parameterized <Policy>, in the case of name conflicts, unless there is some kind of naming convention introduced. For example, the <PolicySet> below contains two <Policy> that are parameterized. There is a name-clash in the named parameters “Organizations”: <PolicySet PolicyId="urn:example:set1" … > <Policy PolicyId="urn:example:template1" … > ... <Condition> ... <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizations" MustBePresent="true"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" MustBePresent="true"/> </Apply> ... </Condition> ... </Policy> <Policy PolicyId="urn:example:template1" … > ... <Condition> ... <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizations" MustBePresent="true"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" MustBePresent="true"/> </Apply> ... </Condition> ... </Policy> </PolicySet> One must introduce a naming convention on the named parameters to establish the correct scope, such as: <PolicySet PolicyId="urn:example:set1"> <Policy PolicyId="urn:example:template1"> ... <Condition> ... <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:example:template1:Organizations" MustBePresent="true"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" MustBePresent="true"/> </Apply> ... </Condition> ... </Policy> <Policy PolicyId="urn:example:template2"> ... <Condition> ... <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:example:template2:Organizations" MustBePresent="true"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID" MustBePresent="true"/> </Apply> ... </Condition> ... </Policy> </PolicySet> Would you confirm this analysis? Thanks, Jean-Paul From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Erik Rissanen Jean-Paul,
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]