OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  Suggestion for the XACML MAP Authorization Profile and others

    Posted 07-12-2014 14:38
    Hi, I just noticed that in the XACML MAP Authorization Profile's conformance section ( http://docs.oasis-open.org/xacml/xacml-map-authz/v1.0/cs01/xacml-map-authz-v1.0-cs01.html#_Toc385259568 ), the mandatory attributes are only described in terms of their identifiers. This means that both the category, the datatype, and optionally the issuer must be looked up wherever the attribute is first defined in the profile. For this profile and others, it would be great to have a conformance table that summarizes all the parts of an attribute definition. Or is there a reason we never did it that way? My apologies for this late comment. David.


  • 2.  RE: [xacml-comment] Suggestion for the XACML MAP Authorization Profile and others

    Posted 07-24-2014 20:06
    Generally there is a tendency to avoid duplicating information within a document to reduce the possibility of accidentally updating one part of the profile and forgetting to update the other.   The conformance section is intended to simply specify what parts of the spec (described elsewhere) are mandatory to implement. The general question is how much of the MTI sections in question need to be repeated in the conformance section. I guess our general answer has been” only enough to unambiguously indicate what is required for conformance.   There is an argument that implementers should always make use of the section defining the functionality because there many be important details which do not appear elsewhere. It is not clear to me that having some but not all additional information repeated in the conformance section is really useful.   WRT to the items you want to add:   Datatype should always be specified by a profile   Category can potentially be a list of permitted categories, such as “all subject types”, “only resource and action”, etc.   I don’t see how a profile can specify anything about Issuer. This is generally deployment-specific.   Hal     From: David Brossard [mailto:david.brossard@axiomatics.com] Sent: Saturday, July 12, 2014 10:38 AM To: xacml; xacml-comment@lists.oasis-open.org Subject: [xacml-comment] Suggestion for the XACML MAP Authorization Profile and others   Hi,   I just noticed that in the XACML MAP Authorization Profile's conformance section ( http://docs.oasis-open.org/xacml/xacml-map-authz/v1.0/cs01/xacml-map-authz-v1.0-cs01.html#_Toc385259568 ), the mandatory attributes are only described in terms of their identifiers.   This means that both the category, the datatype, and optionally the issuer must be looked up wherever the attribute is first defined in the profile.   For this profile and others, it would be great to have a conformance table that summarizes all the parts of an attribute definition. Or is there a reason we never did it that way?   My apologies for this late comment.   David.