OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

  • 1.  Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

    Posted 10-18-2002 15:31
    On 17 October, Polar Humenn writes: Re: [xacml] bags and targets. Forwarded message from Seth Proctor. > This sentence means exactly what it says. If the the selector or > designator evalutates to an empty bag, then there is no match, i.e. the > match "predicate" is False. Isn't this in direct contradiction to your proposed text for "7.4.2.2 Missing Attributes": 7.4.2.2 Missing Attributes The PDP SHALL consider an attribute as missing if it evaluates an expression that requires at least one value to be present from an attribute designator or selector. In this case, the expression evaluates to "indeterminate". The PDP may carry the missing attribute upward in its indeterminate value in accordance with the XACML evaluation strategy of the encompassing expressions, rules, policies, and policy sets. If the PDP evaluates its policy or policy set to Indeterminate with a missing attribute, the PDP MAY list the AttributeId and DataType of that attribute in the result as described in Section 7.5 "Authorization decision". However, the PDP MAY choose not to issue such information due to security concerns. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692