I'm trying to sum up where I think we stand on the question of Attribute, AttributeDesignator, and AttributeSelector. Does anyone object to the following? There are just "Attribute"s and "AttributeSelector"s. There is no AttributeDesignator. That is replaced by AttributeSelector. Attributes are primarily used in the context to convey attribute values, but may also occur in a policy to convey a literal value for matching. The Attribute schema is: <xs:complexType name="AttributeType"> <xs:sequence> <xs:element name="AttributeMetaData" type="xacmlContext:AttributeMetaDataType"/> <xs:element ref="xacml:AttributeValue" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:complexType name="AttributeMetaDataType"> <xs:attribute name="AttributeName" type="xs:string" use="required"/> <xs:attribute name="AttributeNamespace" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:anyURI" use="optional"/> <xs:attribute name="IssueInstant" type="xs:dateTime" use="optional"/> </xs:complexType> <xs:element name="AttributeValue" type="xs:anyType"/> An AttributeSelector is used only in a policy (perhaps calling it "RequestValueSelector" would be more intuitive). It is an XPATH into the Request context. We may allow the root of the XPATH to be specified as "Subject", "Resource", "Action", "Other" as a shortcut for "/Request/Subject/", etc. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692