Hi Tim,
Syntax for variables and variable
references.
Current variable syntax definition needs adjustment
to account for the <condition> element.
I think we should allow variables in target matches
as well. (not yet included).
Two possible alternatives for variable
syntax.
Alt a: <-- my preference ------ Drop
<condition> element and replace it with the <apply> element. This
makes it easy to create variable def and ref. Note that <condition> and <apply> are of the same type, so change is
'harmless'.
The advantage of this approach is simplicity. There
is one element for variable definition and one element for variable
reference.
ex 1a: rule with top-level
<apply>: <rule> <target>...</target> <apply
funcid="string-equal">...</apply> </rule>
ex 2a: variable def is used in top-level
apply: <var-def varid="cond1"> <apply
funcid="string-equal">...</apply> </var-def>
<rule> <target>...</target> <var-ref
varid="cond1"/> </rule>
For the rule to be valid, <var-ref> must
resolve into <apply> element. (which it does). Note that the same
variable definition can be reused in top level <apply> and enclosed
<apply> elements.
Alt b: ------- Keep <condition>
element. In addition to existing <variable-def> and <variable-ref> elements create <cond-var-def> and
<cond-var-ref> elements. Then <cond-var-ref> is allowed as an
alternative to <condition> in a rule.
In addition to having more syntactic elements,
disadvantage of this approach is that <cond-var-def> can not be reused
for <variable-def>.
ex 1b: The same as 2a but variable is defined for
condition:
<cond-def varid="cond1"> <cond
funcid="string-equal">...</cond> </var-def>
<rule> <target>...</target> <cond-ref
varid="cond1"/> </rule>
Syntactic detail. ----------------- Variable
is defined with the <VariableDef> element. Type of the variable defined by <VariableDef> is determined by the type of enclosed
expression. Name of the variable defined by <VariableDef> is the value
of VariableId attribute of type xs:string.
(By derivation from the apply-core-type) Variable
definition can be applied to any combination of <apply>,
<function>, <attr-value>,
<subj-attr-desig>, <res-attr-desig>, <act-attr-desig>,
<env-attr-desig>, <attr-sel>, and <var-ref>
elements.
<xs:element name="VariableDef"
type="xacml:VariableDefType"/> <xs:complexType
name="VariableDefType"> <xs:complexContent> <xs:extension
base="xacml:ApplyCoreType"> <xs:attribute name="VariableId"
type="xs:string"
use="required"/> </xs:extension> </xs:complexContent> </xs:complexType>
VariableId - required. This is variable
name.
Variable is dereferenced with the
<VariableRef> element. Variable name is defined by the value of
VariableId attribute of type xs:string.
<xs:element name="VariableRef"
type="xacml:VariableRefType"/> <xs:complexType
name="VariableRefType"> <xs:attribute name="VariableId"
type="xs:string"/> </xs:complexType>
VariableId - required. This is variable name. Must
resolve to named variable definition.
Alternative
(a): ------------------------ Rule schema: <xs:complexType
name="RuleType"> <xs:sequence> <xs:element
ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Target"
minOccurs="0"/> <xs:choice> <xs:element ref="xacml:Apply"/>
<-- change: <cond> replaced with <apply> <xs:element
ref="xacml:VariableRef"/> <-- new: variable
ref </xs:choice> </xs:sequence> <xs:attribute
name="RuleId" type="xs:anyURI" use="required"/> <xs:attribute
name="Effect" type="xacml:EffectType"
use="required"/> </xs:complexType>
For the rule to be valid, <VariableRef> must
resolve into <apply> element.
Sequence of <VariableDef> elements is
included as a child of <Policy> element following
<PolicyDefaults> element.
Alternative
(b). ------------------------------ Rule schema: <xs:complexType
name="RuleType"> <xs:sequence> <xs:element
ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:Target"
minOccurs="0"/> <xs:choice> <xs:element
ref="xacml:Condition"/> <xs:element ref="xacml:CondVarRef"/> <--
new: condition var
reference </xs:choice> </xs:sequence> <xs:attribute
name="RuleId" type="xs:anyURI" use="required"/> <xs:attribute
name="Effect" type="xacml:EffectType"
use="required"/> </xs:complexType>
<CondVarDef> defines condition variable.
Condition variable can be used only for conditions.
<xs:element name="CondVarDef"
type="xacml:CondVarDefType"/> <xs:complexType
name="CondVarDefType"> <xs:sequence> <xs:element
ref="xacml:Condition"/> </xs:sequence> <xs:attribute
name="VariableId" type="xs:string"
use="required"/> </xs:complexType>
VariableId is a name of condition
variable.
Condition variable reference is of
<VariableRefType>: <xs:element name="CondVarRef"
type="xacml:VariableRefType"/>
Condition variable reference must resolve to named
condition variable.
Sequence of choices between <VariableDef> and
<CondVarDef> elements is included as a child of <Policy> element
following <PolicyDefaults> element.
Simon
|