OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

RE: [xacml] urn:oasis:names:tc:xacml:1.0:function:present

  • 1.  RE: [xacml] urn:oasis:names:tc:xacml:1.0:function:present

    Posted 06-28-2004 16:58 
     MHonArc v2.5.0b2 -->


















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]
    


    







    Subject: RE: [xacml] urn:oasis:names:tc:xacml:1.0:function:present
    







    



    
We have to be thorough on treatment of this function. I believe we would
need four "isPresent" functions, one each for subject,resource, action,
and environment.

I can see why we this function got left in the lurch, but I do believe IT
IS NEEDED,

I'd rather have a formal way to make decisions based on presence of
attribute values, instead of relying on forcing ERROR conditions to
calculate policy decisions.

I believe the "present" functions would have to have multiple arguments,
to match the semantics of the attribute designators. We would need the URI
for the attribute id, the datatype, and the issuer.

urn.oasis.....function:subject-attribute-is-present

This function SHALL take four arguments. The first argument is one of
data-type "...anyURI", which matches by URI equality the subject-category.
The second argument is one of data-type "...anyURI", which matches by URI
equality the id of the attribute(s). The third argument is one of data
type, "...anyURI", which matches by URI equality, the data-type of the
attribute(s). The fourth argument is a string that matches by string
equality, the issuer of the attribute, otherwise may contain the string
value of "*" to match any issuer.

urn.oasis.....function:*-attribute-is-present
        (where * is one of resource, action, or environment)

This function SHALL take arguments. The first argument is one of data-type
"...anyURI", which matches by URI equality the id of the attribute(s). The
second argument is one of data type, "...anyURI", which matches by URI
equality, the data-type of the attribute(s). The third argument is a
string that matches by string equality, the issuer of the attribute,
otherwise may contain the string value of "*" to match any issuer.

Did I just make the problem way too hard?

-Polar


On Mon, 28 Jun 2004, Tim Moses wrote:

> Colleagues - If we are to retain the function "present", how about this as a
> definition?
>
> urn:oasis:names:tc:xacml:1.0:function:present
>
> This function SHALL take one argument of data-type
> "http://www.w3.org/2001/XMLSchema#anyURI"; and SHALL return a
> "http://www.w3.org/2001/XMLSchema#boolean";.  The return value SHALL be
> "True" if there exists anywhere in the request context an attribute with an
> attributeId attribute whose value is the same as that of the function
> argument, according to the
> urn:oasis:names:tc:xacml:1.0:function:anyURI-equal function.  Otherwise, it
> SHALL return "False".
>
> What do you think?
>
> All the best.  Tim.
>
>
>
>
>


Related Content