All,
Here are all the changes we have made in the specs since the previous
public review:
Cross references across the specs have been updated in all specs as
well the copyright date.
xacml-3.0-core-spec and the core schema:
• Fix typos in examples.
• Fix typos in schema fragments.
• Clarified glossary definition of “obligation” it also mentions that
obligations can occur in rules.
• Clarified glossary definitions of “policy”, “rule” and “policy set”
so they mention that they can contain advice (and obligations for
rules).
• Updated reference to XML spec to fifth edition.
• Clarified introductory section (2.3) to combining algorithms.
• Improved consistency in text regarding obligation/advice vs
obligation/advice expressions.
• Improved consistency in text about that advice/obligations can occur
in rules.
• Correct errors in the example policies and requests.
• Misc improvements in wording and correction of typos in various
places (no substantive changes).
• Corrected definition of elements <Rule>, <Policy> and
<PolicySet> so they correctly reference obligation and advice
expressions.
• Made a reference to PEP bias from definition of <PolicySet>,
instead of incorrectly mandating a “Deny” in the PEP in case of
obligation failure.
• Allow <AttributeAssignmentExpression> to evaluate to a bag.
• Removed redundant occurrence indicators from the RequestType schema
definition.
• Removed note about XPath 2.0 expert review.
• Clarified error behavior of advice/obligations.
• Added AdviceId as part of the extensibility list in section 8.1.
• Renamed functions uri-starts-with to anyURI-starts-with,
uri-ends-with to anyURI-ends-with, uri-contains to anyURI-contains and
uri-substring to anyURI-substring
• Fixed typos which referenced non-existing data types
urn:…:xacml:…*duration.
• Reversed the arguments of the string-starts-with, string-ends-with,
string-contains, anyURI-starts-with, anyURI-ends-with and
anyURI-contains functions.
• Clarified error behavior of the string-substring and anyURI-substring
functions.
• Generalized the xpath-node-match function so it can select any XML
node type.
• Removed the obsolete attribute id urn:oasis:names:tc:xacml:1.0:
resource:xpath
• Make it clear that an attribute selector may select an element node.
• Fixed formatting of OASIS spec references so they correspond to the
OASIS template.
• Added an optional “offset” to <AttributeSelector> in the form
of the ContextSelectorId XML attribute.
• Improved and moved text about the <AttributeSelector>.
• Simplified the schema of <PolicyIdentifierList>
• Removed text which says that the XACML conformance tests are hosted
on the Sun website.
• Added references to sections 5, 6, 7, A, B and C in conformance
section.
• Made the evaluation context of xpaths better specified.
• Make text about multiple arguments in the multiply functions more
consistent.
• Generalized the any-of, all-of, any-of-any and map functions to
functions with more arguments.
• Removed an unnecessary reference to SAML in section B.4.
(Authentication credentials can come from other sources as well in
general, so the reference to SAML was too restrictive.)
• Updated Acknowledgements.
• Restrict <Content> to a single child element.
• Replace the EntireHierarchy multiple decision combining mechanism
with a more restricted scheme controlled by the CombinedDecision XML
attribute in the <Request> element.
• Fixed errors in the reference section.
• Updated cross references to the profiles.
• Removed reference to “leaf” nodes in section 7.3.2 since this was
unnecessary restriction.
• Removed statement in section B.4 which said that the subject-id is a
string by default.
xacml-3.0-administration-v1-spec:
• Updated Acknowledgements.
• Fixed formatting of OASIS spec references so they correspond to the
OASIS template.
• Fix typos.
• Fix errors in examples.
xacml-3.0-dsig-v1-spec:
• Updated Acknowledgements.
• Fixed formatting of OASIS spec references so they correspond to the
OASIS template.
• Fixed a broken bookmark in a reference.
xacml-3.0-hierarchical-v1-spec:
• Updated Acknowledgements.
• Fixed formatting of OASIS spec references so they correspond to the
OASIS template.
• Fixed typos.
• Fix 2.0 -> 3.0 typos in some identifiers.
• Improved formatting conventions.
• Updated reference to RFC 3986 (was RFC 2396).
• Clarified meaning of the profile identifiers (they are only metadata
about the functionality).
• Improved the URI scheme with XML node pointers.
• Use content-selector instead of resource-id for the XML/XPath scheme.
• Don’t specify the “ancestor attributes” in the XML/XPath scheme.
xacml-3.0-multiple-v1-spec:
• Updated Acknowledgements.
• Fixed formatting of OASIS spec references so they correspond to the
OASIS template.
• Changed name to “Multiple Decision Profile”
• Improved abstract.
• Updated all text to talk about “multiple decisions” instead of
“multiple resources”
• The XML/XPath scheme uses now the content-selector and
multiple:content-selector attributes instead of resource-id. This also
generalizes the XML scheme to other categories than the resource.
• Clarified meaning of the profile identifiers (they are only metadata
about the functionality).
• Separate the “ancestor scheme” and the XML scheme from each other,
that is, don’t use the ancestor attributes for the XML scheme.
• Reworded some text to make it clearer.
• Drop the “EntireHierarchy” scope in favor of the new CombinedDecision
XML attribute of the <Request> element.
• Added a new section which specifies the overall order of processing
of the various schemes.
• Drop the XPathExpression scope in favor of the new
multiple:content-selector attribute.
• Rename some of the schemes and the associated metadata identifiers.
xacml-3.0-privacy-v1-spec:
• Updated Acknowledgements.
• Fixed formatting of OASIS spec references so they correspond to the
OASIS template.
• Fixed formatting issues.
• Fixed errors in the XML fragment.
xacml-3.0-rbac-v1-spec:
• Updated Acknowledgements.
• Fixed formatting of OASIS spec references so they correspond to the
OASIS template.
• Clarified that a permission policy set may contain policy sets.
• Fixed formatting issues.
• Fixed errors in examples.
xacml-profile-saml2.0-v2-spec:
• Updated Acknowledgements.
• Fixed formatting of OASIS spec references so they correspond to the
OASIS template.
• Added an extension point to the AuthZ query schema.
• Fix formatting issues.
• Removed a reference to a non-existing section.
In addition to the above, in all schema files:
• Fixed schema import cross reference URLs
• Fixed OASIS copyright
Best regards,
Erik