OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] CR 144: function "present" needs to be fixed.

  • 1.  Re: [xacml] CR 144: function "present" needs to be fixed.

    Posted 10-23-2002 14:42
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] CR 144: function "present" needs to be fixed.


    
    I think this CR should be 145, not 144, sorry, but I didn't want to change
    the subject line, lest I mess up the thread, an Anne will beat me with a
    threading stick. :^)
    
    I've got another proposal to handle the cases where we need to have
    predicates for the presence of attribute values, for action, resources,
    and subjects.
    
    The basic upshot is the following:
    
    The following correspond to their *AttributeDesignator counterparts:
    
    o action-attribute-is-present
    o action-attribute-must-be-present
    o resource-attribute-is-present
    o resource-attribute-must-be-present
    o subject-attribute-is-present
    o subject-attribute-must-be-present
    o subject-attribute-is-present-where
    o subject-attribute-must-be-present-where
    
    The following correspond to the AttributeSelector element:
    o attribute-is-present
    o attribute-must-be-present
    
    So, I now suggest to replace the last bullet & paragraph (i.e. "present"
    of Section A.14.5 Logical Functions with the following:
    
    
    o action-attribute-is-present
    
    This function SHALL take two arguments. The first argument SHALL be an
    attribute value of type "xs:QName" as used in the "AttributeId" XML
    attribute of an <ActionAttributeDesignator> element. The second argument
    SHALL be an attribute value of type "xs:QName" containing the identity of
    the data type as used in the "DataType" XML attribute of the
    <ActionAttributeDesignator> element. This expression SHALL result in
    "true" if the named attribute can be located in the request context. A
    result of "true" means that an <ActionAttributeDesignator> element for
    this named attribute will return a bag consisting of at least one
    element. If no value can be found for the attribute in the request
    context, then this expression SHALL result in "false". A result of
    "false" means that an <ActionAttributeDesignator> element for this named
    attribute will return an empty bag. If it cannot be determined whether
    the attribute is present or not present in the request context, or its
    value is unavailable, then the expression SHALL result in
    "indeterminate".
    
    
    o action-attribute-must-be-present
    
    This function SHALL take two arguments. The first argument SHALL be an
    attribute value of type "xs:QName" as used in the "AttributeId" XML
    attribute of an <ActionAttributeDesignator> element. The second argument
    SHALL be an attribute value of type "xs:QName" containing the identity of
    the data type as used in the "DataType" XML attribute of the
    <ActionAttributeDesignator> element. This expression SHALL result in
    "true" if the named attribute can be located in the request context. A
    result of "true" means that an <ActionAttributeDesignator> element for
    this named attribute will return a bag consisting of at least one
    element. If no value can be found for the attribute in the request
    context, which means that an <ActionAttributeDesignator> element for this
    named attribute will return an empty bag, this expression SHALL result in
    "indeterminate". If it cannot be determined whether the attribute is
    present or not present in the request context, or its value is
    unavailable, then the expression SHALL result in "indeterminate".
    
    
    o resource-attribute-is-present
    
    This function SHALL take two arguments. The first argument SHALL be an
    attribute value of type "xs:QName" as used in the "AttributeId" XML
    attribute of an <ResourceAttributeDesignator> element. The second
    argument SHALL be an attribute value of type "xs:QName" containing the
    identity of the data type as used in the "DataType" XML attribute of the
    <ResourceAttributeDesignator> element. This expression SHALL result in
    "true" if the named attribute can be located in the request context. A
    result of "true" means that an <ResourceAttributeDesignator> element for
    this named attribute will return a bag consisting of at least one
    element. If no value can be found for the attribute in the request
    context, then this expression SHALL result in "false". A result of
    "false" means that an <ResourceAttributeDesignator> element for this
    named attribute will return an empty bag. If it cannot be determined
    whether the attribute is present or not present in the request context,
    or its value is unavailable, then the expression SHALL result in
    "indeterminate".
    
    
    o resource-attribute-must-be-present
    
    This function SHALL take two arguments. The first argument SHALL be an
    attribute value of type "xs:QName" as used in the "AttributeId" XML
    attribute of an <ResourceAttributeDesignator> element. The second
    argument SHALL be an attribute value of type "xs:QName" containing the
    identity of the data type as used in the "DataType" XML attribute of the
    <ResourceAttributeDesignator> element. This expression SHALL result in
    "true" if the named attribute can be located in the request context. A
    result of "true" means that an <ResourceAttributeDesignator> element for
    this named attribute will return a bag consisting of at least one
    element. If no value can be found for the attribute in the request
    context, which means that an <ResourceAttributeDesignator> element for
    this named attribute will return an empty bag, this expression SHALL
    result in "indeterminate". If it cannot be determined whether the
    attribute is present or not present in the request context, or its value
    is unavailable, then the expression SHALL result in "indeterminate".
    
    
    o subject-attribute-is-present
    
    This function SHALL take two arguments. The first argument SHALL be an
    attribute value of type "xs:QName" as used in the "AttributeId" XML
    attribute of an <SubjectAttributeDesignator> element. The second argument
    SHALL be an attribute value of type "xs:QName" containing the identity of
    the data type as used in the "DataType" XML attribute of the
    <SubjectAttributeDesignator> element. This expression SHALL result in
    "true" if the named attribute can be located in the request context. A
    result of "true" means that an <SubjectAttributeDesignator> element for
    this named attribute will return a bag consisting of at least one
    element. If no value can be found for the attribute in the request
    context, then this expression SHALL result in "false". A result of
    "false" means that an <SubjectAttributeDesignator> element for this named
    attribute will return an empty bag. If it cannot be determined whether
    the attribute is present or not present in the request context, or its
    value is unavailable, then the expression SHALL result in
    "indeterminate".
    
    
    o subject-attribute-must-be-present
    
    This function SHALL take two arguments. The first argument SHALL be an
    attribute value of type "xs:QName" as used in the "AttributeId" XML
    attribute of an <SubjectAttributeDesignator> element. The second argument
    SHALL be an attribute value of type "xs:QName" containing the identity of
    the data type as used in the "DataType" XML attribute of the
    <SubjectAttributeDesignator> element. This expression SHALL result in
    "true" if the named attribute can be located in the request context. A
    result of "true" means that an <SubjectAttributeDesignator> element for
    this named attribute will return a bag consisting of at least one
    element. If no value can be found for the attribute in the request
    context, which means that an <SubjectAttributeDesignator> element for
    this named attribute will return an empty bag, this expression SHALL
    result in "indeterminate". If it cannot be determined whether the
    attribute is present or not present in the request context, or its value
    is unavailable, then the expression SHALL result in "indeterminate".
    
    
    o subject-attribute-is-present-where
    
    This function SHALL take three or more arguments. The first argument
    SHALL be an attribute value of type "xs:QName" as used in the
    "AttributeId" XML attribute of an <SubjectAttributeDesignatorWhere>
    element. The second argument SHALL be an attribute value of type
    "xs:QName" containing the identity of the data type as used in the
    "DataType" XML attribute of the <SubjectAttributeDesignatorWhere>
    element. The third and subsequent arguments SHALL be <SubjectMatch>
    elements. This expression SHALL result in "true" if the named attribute
    named by "AttributeId" and "DataType" XML attributes can be located in
    the particular subject in the request context of which all the given
    <SubjectMatch> expressions evaluate to "true". A result of "true" means
    that a <SubjectAttributeDesignatorWhere> element for this named attribute
    and identical <SubjectMatch> elements will return a bag consisting of at
    least one element. If no value can be found for the attribute in the
    request context, then this expression SHALL result in "false". A result
    of "false" means that an <SubjectAttributeDesignatorWhere> element for
    this named attribute will return an empty bag. If it cannot be determined
    whether the attribute is present or not present in the request context,
    its value is unavailable, or any of the <SubjectMatch> elements evaluate
    to "indeterminate", then the expression SHALL result in "indeterminate".
    
    
    o subject-attribute-must-be-present-where
    
    This function SHALL take three or more arguments. The first argument
    SHALL be an attribute value of type "xs:QName" as used in the
    "AttributeId" XML attribute of an <SubjectAttributeDesignatorWhere>
    element. The second argument SHALL be an attribute value of type
    "xs:QName" containing the identity of the data type as used in the
    "DataType" XML attribute of the <SubjectAttributeDesignatorWhere>
    element. The third and subsequent arguments SHALL be <SubjectMatch>
    elements. This expression SHALL result in "true" if the named attribute
    named by "AttributeId" and "DataType" XML attributes can be located in
    the particular subject in the request context of which all the given
    <SubjectMatch> expressions evaluate to "true". A result of "true" means
    that a <SubjectAttributeDesignatorWhere> element for this named attribute
    and identical <SubjectMatch> elements will return a bag consisting of at
    least one element. If no value can be found for the attribute in the
    request context, which means that the corresponding
    <SubjectAttributeDesignatorWhere> element will return an empty bag, this
    expression SHALL result in "indeterminate". If it cannot be determined
    whether the attribute is present or not present in the request context,
    its value is unavailable, or any of the <SubjectMatch> elements evaluate
    to "indeterminate", then the expression SHALL result in "indeterminate".
    
    
    o attribute-is-present
    
    This function SHALL take two arguments. The first argument SHALL be an
    argument of type "xs:string" that is an XPath expression that is used in
    the "RequestContextPath" XML attribute of the <AttributeSelector>
    element. The second argument SHALL be an attribute value of type
    "xs:QName" containing the identity of the data type as used in the
    "DataType" XML attribute of the <AttributeSelector> element. This
    expression SHALL result in "true" if the value can be found. A result of
    "true" means that an <AttributeSelector> element for this named attribute
    SHALL return a bag consisting of at least one element. If no value can be
    found, then this expression SHALL result in "false". A result of "false"
    means that the corresponding <AttributeSelector> element SHALL return an
    empty bag. If it cannot be determined that a value for this XPath
    expression is present or not present, or the value is unavailable, then
    the expression SHALL result in "indeterminate".
    
    
    o attribute-must-be-present
    
    This function SHALL take two arguments. The first argument SHALL be an
    argument of type "xs:string" that is an XPATH expression that is used in
    the "RequestContextPath" XML attribute of the <AttributeSelector>
    element. The second argument SHALL be an attribute value of type
    "xs:QName" containing the identity of the data type as used in the
    "DataType" XML attribute of the <AttributeSelector> element. This
    expression SHALL result in "true" if the value can be found. A result of
    "true" means that an <AttributeSelector> element for this named attribute
    SHALL return a bag consisting of at least one element. If no value can be
    found, then this expression SHALL result in "false", which means that the
    corresponding <AttributeSelector> element SHALL return an empty bag, this
    expression SHALL result in "indeterminate". If it cannot be determined
    that a value for this XPath expression is present or not present, or the
    value is unavailable, then the expression SHALL result in
    "indeterminate".
    
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC