OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Compound Attributes - Was: [xacml] Minutes for 27 April 2017 TC Meeting

Hi Steven,

What I was thinking (off the cuff) was something like the following:
  1. Use the multivalue attribute property, where multiple instances of the
    same attributevalue are treated as multiple values.
  2. Define a new datatype called "keyvaluepair", which would have a form such as:
  3. When multiple attribute values of this type are defined within the same attribute element,
    or attribute entities within the same attributes element and w same metadata (issuer, attr-id),
    this would result in a "bag" of <key>:<value> "values",
    which can be interpreted as an enumerated list of "keyvaluepair"s, w attr-id being the
    attribute parent's attr-id.
    So, basically the result is a named list of "keyvaluepair"s

Operations on this list could be done such as finding all values w a given key, etc.

So, I think the key chg would be that a new datatype that contains both a key and a value
would be sufficient to provide this capability.

Isn't that obvious from the minutes ? :)


On 4/28/2017 2:25 AM, Steven Legg wrote:
On 28/04/2017 6:56 AM, rich levinson wrote:
   Documentation of HL7 data types: ref from David wrt "compound attributes":
        compound attrs: variation of xml
     martin: datatype was sort of a code list: needed or covered?
      look up official country code:
      need datatype for "enumerated lists"

     rich: maybe have a key:value pair as a datatype?

Isn't a key:value pair an XACML attribute? :-)

I would have described the HL7 data types as multi-part identifiers, but as the
IHE-XACML binding is only interested in at most two parts, and one mandatory part
is an OID, it would have been a viable approach to treat each OID as an XACML
attribute id and the other part as the XACML attribute value, thus avoiding the
need for new data-types and functions.

That aside, the entities profile provides two ways to represent
multi-part identifiers (or key:value pairs).

A value of the CV data-type would appear something like this according to HL7:

    <CodedValue code="1" codeSystem="1.0.14265.1"/>

Using the entities profile it could still be represented as XML without defining
a new data-type:

      <CodedValue code="1" codeSystem="1.0.14265.1" />

The parts of the value would have to be extracted using XPath and the
attribute-selector function.

Alternatively, using the entities profile, the parts could be represented as
nested attributes:


The parts of the value would be extracted using the attribute-designator function.

The tricky part is writing XACML expressions that have the same effect as the
new HL7 functions. The CV-equal and II-equal functions are straightforward, if a
little verbose. The II-to-string and II-match functions are doable, but contorted.
It would be much easier if there were an XACML function that behaved like the
Java/C ternary operator "?:", i.e., if the first argument is true then return the
second argument, otherwise return the third argument. The remaining functions
involve transformations that could perhaps be done in the PEP and PIP rather than
the PDP.

It would be handy for policy writers using compound attributes if XACML supported
user-defined functions (think of a variable definition with parameters). To better
support use cases with compound attributes I would add user-defined functions and
a ternary operator. Representing compound attributes and processing them are
already covered by the entities profile.


To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]