OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  XACML 3.0 and deprecated identifiers

    Posted 10-10-2017 13:42
    Hi The XACML spec mentions that there are deprecated identifiers. There are 2 places where this happens: 10.2.9 Identifiers planned for future deprecation A.4 Functions, data types, attributes and algorithms planned for deprecation Why do we have 2 sections? They are inconsistent. I then compiled the 2 lists and came up with this table. You will notice that some of the identifiers do not have an explicit replacement. Why is that? Old New http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration http://www.w3.org/2001/XMLSchema#dayTimeDuration http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration http://www.w3.org/2001/XMLSchema#yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-count urn:oasis:names:tc:xacml:3.0:function:xpath-node-count urn:oasis:names:tc:xacml:1.0:function:xpath-node-equal urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-match urn:oasis:names:tc:xacml:3.0:function:xpath-node-match urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:2.0:function:uri-string-concatenate urn:oasis:names:tc:xacml:3.0:function:string-from-anyURI urn:oasis:names:tc:xacml:1.0:function:all-of urn:oasis:names:tc:xacml:1.0:function:any-of urn:oasis:names:tc:xacml:1.0:function:any-of-any urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-intersection urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-is-in urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-subset urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-union urn:oasis:names:tc:xacml:1.0:function:map urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-intersection urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-is-in urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-subset urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-union


  • 2.  RE: [xacml] XACML 3.0 and deprecated identifiers

    Posted 10-10-2017 20:16
    No doubt most of these are oversights. However there may be reasons for some of them. I would start by consulting with the Editor (Erik).   Hal   From: David Brossard [mailto:david.brossard@axiomatics.com] Sent: Tuesday, October 10, 2017 9:42 AM To: xacml <xacml@lists.oasis-open.org> Subject: [xacml] XACML 3.0 and deprecated identifiers   Hi   The XACML spec mentions that there are deprecated identifiers. There are 2 places where this happens:   10.2.9 Identifiers planned for future deprecation A.4 Functions, data types, attributes and algorithms planned for deprecation Why do we have 2 sections? They are inconsistent.   I then compiled the 2 lists and came up with this table. You will notice that some of the identifiers do not have an explicit replacement. Why is that?   Old New http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration http://www.w3.org/2001/XMLSchema#dayTimeDuration http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration http://www.w3.org/2001/XMLSchema#yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-count urn:oasis:names:tc:xacml:3.0:function:xpath-node-count urn:oasis:names:tc:xacml:1.0:function:xpath-node-equal urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-match urn:oasis:names:tc:xacml:3.0:function:xpath-node-match urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:2.0:function:uri-string-concatenate urn:oasis:names:tc:xacml:3.0:function:string-from-anyURI urn:oasis:names:tc:xacml:1.0:function:all-of urn:oasis:names:tc:xacml:1.0:function:any-of urn:oasis:names:tc:xacml:1.0:function:any-of-any urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-intersection urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-is-in urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-subset urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-union urn:oasis:names:tc:xacml:1.0:function:map urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-intersection urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-is-in urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-subset urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-union  


  • 3.  Re: [xacml] XACML 3.0 and deprecated identifiers

    Posted 10-10-2017 22:11
    Hi David, On 11/10/2017 12:42 AM, David Brossard wrote: Hi The XACML spec mentions that there are deprecated identifiers. There are 2 places where this happens: * 10.2.9 Identifiers planned for future deprecation * A.4 Functions, data types, attributes and algorithms planned for deprecation Why do we have 2 sections? They are inconsistent. I then compiled the 2 lists and came up with this table. You will notice that some of the identifiers do not have an explicit replacement. Why is that? The replacements are listed in 10.2.8. The relationship between old and new is implied for the dayTimeDuration-* and yearMonthDuration-* functions because these functions are defined by the catch-all type-bag, type-bag-size, etc. functions. The function definitions for all-of, any-of, any-of-any and map in A.3.12 explicitly use the new identifiers. BTW, did you see Cyril's comments on the JSON profile? https://lists.oasis-open.org/archives/xacml-comment/201709/msg00000.html Regards, Steven Old New http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration http://www.w3.org/2001/XMLSchema#dayTimeDuration http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration http://www.w3.org/2001/XMLSchema#yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-count urn:oasis:names:tc:xacml:3.0:function:xpath-node-count urn:oasis:names:tc:xacml:1.0:function:xpath-node-equal urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-match urn:oasis:names:tc:xacml:3.0:function:xpath-node-match urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:2.0:function:uri-string-concatenate urn:oasis:names:tc:xacml:3.0:function:string-from-anyURI urn:oasis:names:tc:xacml:1.0:function:all-of urn:oasis:names:tc:xacml:1.0:function:any-of urn:oasis:names:tc:xacml:1.0:function:any-of-any urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-intersection urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-is-in urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-subset urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-union urn:oasis:names:tc:xacml:1.0:function:map urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-intersection urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-is-in urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-subset urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-union


  • 4.  Re: [xacml] XACML 3.0 and deprecated identifiers

    Posted 10-11-2017 08:29
    Neither 10.2.8 or A.3.12 explicitly mention the replacement / deprecation i.e. I have to assume that function-1.0-any-of is replaced with function-3.0-any-of. It is obvious  but then again obvious is not always right, is it :-) On Wed, Oct 11, 2017 at 12:10 AM, Steven Legg < steven.legg@viewds.com > wrote: Hi David, On 11/10/2017 12:42 AM, David Brossard wrote: Hi The XACML spec mentions that there are deprecated identifiers. There are 2 places where this happens:   * 10.2.9 Identifiers planned for future deprecation   * A.4 Functions, data types, attributes and algorithms planned for deprecation Why do we have 2 sections? They are inconsistent. I then compiled the 2 lists and came up with this table. You will notice that some of the identifiers do not have an explicit replacement. Why is that? The replacements are listed in 10.2.8. The relationship between old and new is implied for the dayTimeDuration-* and yearMonthDuration-* functions because these functions are defined by the catch-all type-bag, type-bag-size, etc. functions. The function definitions for all-of, any-of, any-of-any and map in A.3.12 explicitly use the new identifiers. BTW, did you see Cyril's comments on the JSON profile? https://lists.oasis-open.org/a rchives/xacml-comment/201709/m sg00000.html Regards, Steven Old     New http://www.w3.org/TR/2002/WD-x query-operators-20020816#dayTi meDuration   http://www.w3.org/2001/XMLSche ma#dayTimeDuration http://www.w3.org/TR/2002/WD-x query-operators-20020816#yearM onthDuration         http://www.w3.org/2001/XMLSche ma#yearMonthDuration urn:oasis:names:tc:xacml:1.0:f unction:date-add-yearMonthDura tion        urn:oasis:names:tc:xacml:3.0:f unction:date-add-yearMonthDura tion urn:oasis:names:tc:xacml:1.0:f unction:date-subtract-yearMont hDuration   urn:oasis:names:tc:xacml:3.0: function:date-subtract-yearMon thDuration urn:oasis:names:tc:xacml:1.0:f unction:dateTime-add-dayTimeDu ration      urn:oasis:names:tc:xacml:3.0:f unction:dateTime-add-dayTimeDu ration urn:oasis:names:tc:xacml:1.0:f unction:dateTime-add-yearMonth Duration    urn:oasis:names:tc:xacml:3.0:f unction:dateTime-add-yearMonth Duration urn:oasis:names:tc:xacml:1.0:f unction:dateTime-subtract-dayT imeDuration         urn:oasis:names:tc:xacml:3.0: function:dateTime-subtract-day TimeDuration urn:oasis:names:tc:xacml:1.0:f unction:dateTime-subtract-year MonthDuration       urn:oasis:names:tc:xacml:3.0: function:dateTime-subtract-yea rMonthDuration urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-equal     urn:oasis:names:tc:xacml:3.0: function:dayTimeDuration-equal urn:oasis:names:tc:xacml:1.0:f unction:xpath-node-count  urn:oasis:names:tc:xacml:3.0:f unction:xpath-node-count urn:oasis:names:tc:xacml:1.0:f unction:xpath-node-equal  urn:oasis:names:tc:xacml:3.0:f unction:xpath-node-equal urn:oasis:names:tc:xacml:1.0:f unction:xpath-node-match  urn:oasis:names:tc:xacml:3.0:f unction:xpath-node-match urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-equa l   urn:oasis:names:tc:xacml:3.0: function:yearMonthDuration-equ al urn:oasis:names:tc:xacml:1.0:p olicy-combining-algorithm:deny -overrides  urn:oasis:names:tc:xacml:3.0:p olicy-combining-algorithm:deny -overrides urn:oasis:names:tc:xacml:1.0:p olicy-combining-algorithm:perm it-overrides        urn:oasis:names:tc:xacml:3.0:p olicy-combining-algorithm:perm it-overrides urn:oasis:names:tc:xacml:1.0:r ule-combining-algorithm:deny-o verrides    urn:oasis:names:tc:xacml:3.0:r ule-combining-algorithm:deny-o verrides urn:oasis:names:tc:xacml:1.0:r ule-combining-algorithm:permit -overrides  urn:oasis:names:tc:xacml:3.0:r ule-combining-algorithm:permit -overrides urn:oasis:names:tc:xacml:1.0:s ubject:authn-locality:dns-name     urn:oasis:names:tc:xacml:3.0:s ubject:authn-locality:dns-name urn:oasis:names:tc:xacml:1.0:s ubject:authn-locality:ip-addre ss  urn:oasis:names:tc:xacml:3.0:s ubject:authn-locality:ip-addre ss urn:oasis:names:tc:xacml:1.1:p olicy-combining-algorithm:orde red-deny-overrides  urn:oasis:names:tc:xacml:3.0:p olicy-combining-algorithm:orde red-deny-overrides urn:oasis:names:tc:xacml:1.1:p olicy-combining-algorithm:orde red-permit-overrides        urn:oasis:names:tc:xacml:3.0:p olicy-combining-algorithm:orde red-permit-overrides urn:oasis:names:tc:xacml:1.1:r ule-combining-algorithm:ordere d-deny-overrides    urn:oasis:names:tc:xacml:3.0:r ule-combining-algorithm:ordere d-deny-overrides urn:oasis:names:tc:xacml:1.1:r ule-combining-algorithm:ordere d-permit-overrides  urn:oasis:names:tc:xacml:3.0:r ule-combining-algorithm:ordere d-permit-overrides urn:oasis:names:tc:xacml:2.0:f unction:uri-string-concatenate     urn:oasis:names:tc:xacml:3.0:f unction:string-from-anyURI urn:oasis:names:tc:xacml:1.0:f unction:all-of    urn:oasis:names:tc:xacml:1.0:f unction:any-of    urn:oasis:names:tc:xacml:1.0:f unction:any-of-any        urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-at-lea st-one-member-of    urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-bag        urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-bag-si ze  urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-inters ection      urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-is-in      urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-one-an d-only      urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-set-eq uals        urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-subset     urn:oasis:names:tc:xacml:1.0:f unction:dayTimeDuration-union      urn:oasis:names:tc:xacml:1.0:f unction:map        urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-at-l east-one-member-of  urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-bag      urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-bag- size        urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-inte rsection    urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-is-i n    urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-one- and-only    urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-set- equals      urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-subs et  urn:oasis:names:tc:xacml:1.0:f unction:yearMonthDuration-unio n    -- David Brossard VP of Customer Relations +1  312 774-9163 +1 502 922 6538 +46(0)760 25 85 75 Axiomatics 525 W. Monroe Suite 2310 Chicago 60661 Support: https://support.axiomatics.com   Web:  http://www.axiomatics.com Axiomatics Blog Events Resources, Webinars & Whitepapers Connect with us on  LinkedIn     Twitter     Google +     Facebook   YouTube


  • 5.  Re: [xacml] XACML 3.0 and deprecated identifiers

    Posted 10-12-2017 01:05
    Hi David, On 11/10/2017 7:29 PM, David Brossard wrote: Neither 10.2.8 or A.3.12 explicitly mention the replacement / deprecation i.e. I have to assume that function-1.0-any-of is replaced with function-3.0-any-of. It is /obvious/ but then again obvious is not always right, is it :-) I would say that they don't mention it because they don't need to. The goal of the specification is to specify how to implement XACML 3.0. It isn't a goal of the specification to tell folks how to upgrade from earlier versions of XACML, though there are hints littered about. The conformance clauses tell us that urn:oasis:names:tc:xacml:3.0:function:any-of and urn:oasis:names:tc:xacml:1.0:function:any-of are mandatory to implement. The former is defined in the specification, but the latter is not, so we must look for it in the earlier versions. They are simply different functions that we must support for XACML version 3.0 and there is no requirement anywhere for any XACML version 3.0 component to substitute one for the other. Simply put, we can implement XACML 3.0 without assuming there is any relationship between the two functions. Where the implementer must make assumptions is with the type-* functions because the identifiers are not explicitly linked to the function definitions. Take the type-bag function (in A.3.10) as an example. For most types we can find only one identifier that appears to match the right pattern, e.g., for the boolean type it is urn:oasis:names:tc:xacml:1.0:function:boolean-bag, so we assume that is the correct identifier. For dayTimeDuration and yearMonthDuration we have a problem because we find two possible matches for each (and they are both mandatory). It is only by noting that one of the identifiers appears in the list of identifiers planned for future deprecation that we assume that A.3.10 means to be defining the other one. That part of the specification could have been more rigorous. We still don't need to assume a relationship between the old identifier and the new identifier to implement XACML version 3.0. Regards, Steven On Wed, Oct 11, 2017 at 12:10 AM, Steven Legg <steven.legg@viewds.com < mailto:steven.legg@viewds.com >> wrote: Hi David, On 11/10/2017 12:42 AM, David Brossard wrote: Hi The XACML spec mentions that there are deprecated identifiers. There are 2 places where this happens:   * 10.2.9 Identifiers planned for future deprecation   * A.4 Functions, data types, attributes and algorithms planned for deprecation Why do we have 2 sections? They are inconsistent. I then compiled the 2 lists and came up with this table. You will notice that some of the identifiers do not have an explicit replacement. Why is that? The replacements are listed in 10.2.8. The relationship between old and new is implied for the dayTimeDuration-* and yearMonthDuration-* functions because these functions are defined by the catch-all type-bag, type-bag-size, etc. functions. The function definitions for all-of, any-of, any-of-any and map in A.3.12 explicitly use the new identifiers. BTW, did you see Cyril's comments on the JSON profile? https://lists.oasis-open.org/archives/xacml-comment/201709/msg00000.html < https://lists.oasis-open.org/archives/xacml-comment/201709/msg00000.html > Regards, Steven Old     New http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration < http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration > http://www.w3.org/2001/XMLSchema#dayTimeDuration < http://www.w3.org/2001/XMLSchema#dayTimeDuration > http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration < http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration > http://www.w3.org/2001/XMLSchema#yearMonthDuration < http://www.w3.org/2001/XMLSchema#yearMonthDuration > urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration        urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:date-subtract-yearMonthDuration   urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-dayTimeDuration      urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-yearMonthDuration    urn:oasis:names:tc:xacml:3.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-dayTimeDuration         urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-yearMonthDuration       urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal     urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-count  urn:oasis:names:tc:xacml:3.0:function:xpath-node-count urn:oasis:names:tc:xacml:1.0:function:xpath-node-equal  urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-match  urn:oasis:names:tc:xacml:3.0:function:xpath-node-match urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal   urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides  urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides        urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides    urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides  urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name    urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address  urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides  urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides        urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides    urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides  urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:2.0:function:uri-string-concatenate    urn:oasis:names:tc:xacml:3.0:function:string-from-anyURI urn:oasis:names:tc:xacml:1.0:function:all-of urn:oasis:names:tc:xacml:1.0:function:any-of urn:oasis:names:tc:xacml:1.0:function:any-of-any urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-intersection urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-is-in urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-subset urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-union urn:oasis:names:tc:xacml:1.0:function:map urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-intersection urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-is-in urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-subset urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-union -- David Brossard VP of Customer Relations +1 312 774-9163 +1 502 922 6538 +46(0)760 25 85 75 Axiomatics 525 W. Monroe Suite 2310 Chicago 60661 Support: https://support.axiomatics.com Web: http://www.axiomatics.com < http://www.axiomatics.com/ > Axiomatics Blog < http://www.axiomatics.com/blog/ > Events < http://www.axiomatics.com/events.html > Resources, Webinars & Whitepapers < http://www.axiomatics.com/resources.html > Connect with us on LinkedIn < http://www.linkedin.com/companies/536082 >  Twitter < http://twitter.com/axiomatics >  Google + < https://plus.google.com/u/1/b/101496487994084529291/ >  Facebook < https://www.facebook.com/axiomatics >  YouTube < http://www.youtube.com/user/axiomaticsab >