MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: New draft of Hierarchical Resources
A new draft of the specification sections pertaining to
Hierarchical Resources is attached, both in PDF and MSWord
forms.
Summary
- A new "xpath-expression" DataType is defined. It is a string
that is to be evaluated as an XPath expression.
- I removed attributes for "simple-file-name" and "ufs-path"
because files are now represented as "file:" URIs in a Request
Context. Using either of these Attributes would prevent
policies intended to apply to those files from applying, since
the policies would be written in terms of URIs and not simple
names or paths.
- I removed the "xpath" attribute because ultimately, the
"resource-id" attribute will have to contain the XPath
expression. With the new "xpath-expression" DataType, there is
no ambiguity about how to interpret "resource-id" in this case.
- I created a new section for describing how to request multiple
resources in one Request Context. This is separate from the
Hierarchical Resources section because the multiple resources
requested need not be hierarchical. There are three ways:
"resource-id" Attribute containing XPath expression that
evaluates to multiple nodes, "scope" Attribute, and multiple
<Resource> elements. In each case, these representations are
not evaluated by the PDP and are not visible to policies; they
are always resolved to a sequence of Request Contexts, each of
which specifies exactly one of the requested resources in its
"resource-id" Attribute. There is always one <Result> element
returned for each resource that is requested.
- <ResourceContent> is required if the requested resource is a
node in an XML document.
- Any given resource type must always be represented as an XML
document or never represented as an XML document. This is
because policies written to apply to its XML representation
would not apply if it appeared in a Request in the other
representation, and vice versa.
- The "resource-parent" and "resource-ancestor" Attributes MUST
be available in the Request Context for any type of
hierarchical resource. This allows simple predicates that can
do basic checks without having to support XPath. [Thank you,
Daniel]
- No new functions were needed. "xpath-node-match" is sufficient
for XML resources, and our existing set, bag, and Higher Order
bag functions, along with our existing match functions, are
sufficient for other types of resources.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
Hierarchical Resources draft, pdf format
Hierarchical Resources draft, MSWord format
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]