OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Groups - XACML v3.0 Related and Nested Entities Profile Version 1.0 uploaded

Hello Steven,


Thanks for assembling the draft profile.  You have put a great deal of work into this.


Given that “domain” has fairly standard meaning in IT, would it be possible to use the term “scope” instead?  I think it would work in this context, and prevent unnecessary confusion.  “Realm” also might be a less-used and less confusing term, but I think “scope” fits best.


In the examples in section 5.2, I see “relationship-kind”, which seems to be quite a bit like urn:oasis:names:tc:xacml:3.0:ipc:subject:subject-to-organization-relationship.

There is also “start-date”, which is similar to urn:oasis:names:tc:xacml:3.0:ipc:resource:effective-date


For the sake of consistency, could we use the IPC style attributes, even in the examples, so  we can keep those aligned?


The examples in 5.3.1 regarding an “approved-export” table actually hint at the existence of behind-the-scenes attribute flattening, since in order to build such a table, the list has to be compiled from interpretation of regulations, exceptions, and individual licenses.  Is the intent to demonstrate a capability to import complex tables associated with regulations (such as the US Commerce Control List), and make the table content available to policy authors? 


Thanks again for the contribution,





From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Steven Legg
Sent: Monday, October 21, 2013 11:18 PM
To: xacml@lists.oasis-open.org
Subject: [xacml] Groups - XACML v3.0 Related and Nested Entities Profile Version 1.0 uploaded


Submitter's message
This is the initial draft for the Related and Nested Entities Profile - my response to the "Attributes of Relations" email thread. I changed from "Embedded" to "Nested" in the title because it better suggests the idea that entities can be embedded in other entities to any depth. A nested entity is what I have previously called a compound attribute. As well as the ForAny and ForAll expressions that I have discussed on the mailing list I have defined a Select _expression_ as a convenience to policy writers who like to think in SQL terms. The examples go beyond simply addressing the "Attributes of Relations" concerns.
-- Dr. Steven Legg

Document Name: XACML v3.0 Related and Nested Entities Profile Version 1.0

It is not unusual for access control policy to be dependent on attributes
that are not naturally properties of the access subject or resource, but
rather are properties of entities that are related to the access subject or
resource. This profile defines the means to reference such attributes from
within XACML policies for processing by a policy decision point.
Download Latest Revision
Public Download Link

Submitter: Dr. Steven Legg
Group: OASIS eXtensible Access Control Markup Language (XACML) TC
Folder: Specifications and Working Drafts
Date submitted: 2013-10-21 23:17:29


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]