MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: [xacml] [schema] Proposal for SubjectAttributeDesignator
As I posted a week ago, my preference w.r.t. the semantics for <Target>
element is to specify <Subjects> and <Subject> in <Target> and do not allow
recursive attribute designator in <Condition>.
http://lists.oasis-open.org/archives/xacml/200208/msg00007.html
A) Expression in Target element
I repeat an example expression used in Anne's mail (a little complicated
example though)
>
>1. at least one Subject has
> AttrA == A AND AttrB == B and AttrC == C
>2. OR at least one Subject has
> AttrE == E
>3. OR at least one Subject has
> AttrD == D
Above expression is represented as follows:
(1) Target expression
<Target>
<Subjects> <!-- Symbol of the OR semantics on multiple subject -->
<Subject> <!-- Symbol of the AND semantics on multiple SubjectMatch -->
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrA" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">A</AttributeValue>
</SubjectAttributeDesignator>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrB" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">B</AttributeValue>
</SubjectAttributeDesignator>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrC" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">C</AttributeValue>
</SubjectAttributeDesignator>
</Subject>
<Subject>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrE" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">E</AttributeValue>
</SubjectAttributeDesignator>
</Subject>
<Subject>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrD" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">D</AttributeValue>
</SubjectAttributeDesignator>
</Subject>
</Subjects>
</Target>
<Subjects> and <Subject> might be mapped to function "OR" and "AND",
respectively. The difference from the pure "OR" and "AND" function would be
that <Subject> implies that a set of <SubjectMatch> condition must be
satisfied in one <Subject> element in a request context, not in multiple
<Subject> elements. In (2), I specify pseudo target expression using "OR"
and "AND" for discussion later.
(2) Pseudo Target expression
<Target>
<Function FunctionId="function:or"> <!-- this corresponds to Subjects -->
<Function FunctionId="function:and"> <!-- this corresponds to Subject
-->
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrA" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">A</AttributeValue>
</SubjectAttributeDesignator>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrB" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">B</AttributeValue>
</SubjectAttributeDesignator>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrC" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">C</AttributeValue>
</SubjectAttributeDesignator>
</Function>
<Function FunctionId="function:and">
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrE" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">E</AttributeValue>
</SubjectAttributeDesignator>
</Function>
<Function FunctionId="function:and">
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrD" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">D</AttributeValue>
</SubjectAttributeDesignator>
</Function>
</Function>
</Target>
B) Expression in Condition element
For the expression in <Condition> element, I would prefer Simon's <where>
approach than recursive designator specification. But my preference is more
generic approach. My idea is that <SubjectAttributeDesignator> allows
<Function> element in it. It specifies any arbitrary logical expression.
However, the semantics of its logical expression is "where" that is used to
verify whether a subject element satisfying the designator really satisfies
the expression below the designator element.
The following <Condition> says "select attrX where (AttrA='A' & AttrB='B' &
AttrC='C') | AttrE='E' | AttrD='D'), and is the value of attrX equal to
'X'?".
(3) Condition expression
<Condition>
<Function FunctionId="function:string-equal">
<SubjectAttributeDesignator AttributeId="attrX" DataType="xs:string">
<Function FunctionId="function:or"> <!-- From here, the expression is
the same with (2) -->
<Function FunctionId="function:and">
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrA" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">A</AttributeValue>
</SubjectAttributeDesignator>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrB" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">B</AttributeValue>
</SubjectAttributeDesignator>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrC" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">C</AttributeValue>
</SubjectAttributeDesignator>
</Function>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrE" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">E</AttributeValue>
</SubjectAttributeDesignator>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrD" DataType
="xs:string"/>
<AttributeValue DataType="xs:string">D</AttributeValue>
</SubjectAttributeDesignator>
</Function>
</SubjectAttributeDesignator>
<AttributeValue DataType="xs:string">X</AttributeValue>
</Function>
</Condition>
The above syntax is the same with the syntax of (2). That is one of the
advantage of this approach. Another advantage is that policy writers can
specify any arbitarary logical expressions below
<SubjectAttributeDesignator>.
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Anne Anderson
<Anne.Anderson@Su To: XACML TC <xacml@lists.oasis-open.org>
n.com> cc:
Subject: [xacml] [schema] One two many OR levels in Target Subject?
2002/08/03 03:41
Please respond to
Anne.Anderson
I think we MAY have defined one too many levels of OR in our
Target Subject syntax.
I believe the following example matches any Request in which
1. at least one Subject has
AttrA == A AND AttrB == B and AttrC == C
2. OR at least one Subject has
AttrE == E
3. OR at least one Subject has
AttrD == D
But 1. and 2. are not at the same level as 3.
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrA"
DataType="xs:string">
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator
AttributeId="AttrB"
DataType="xs:string">
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator
AttributeId="AttrC"
DataType="xs:string">
<AttributeValue
DataType="xs:string">
valueC
</AttributeValue>
</SubjectAttributeDesignator>
</SubjectMatch>
<AttributeValue DataType="xs:string">
valueB
</AttributeValue>
</SubjectAttributeDesignator>
</SubjectMatch>
<AttributeValue DataType="xs:string">
valueA
</AttributeValue>
</SubjectAttributeDesignator>
</SubjectMatch>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrE"
DataType="xs:string">
<AttributeValue DataType="xs:string">
valueE
</AttributeValue>
</SubjectAttributeDesignator>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="string-match">
<SubjectAttributeDesignator AttributeId="AttrD"
DataType="xs:string">
<AttributeValue DataType="xs:string">
valueD
</AttributeValue>
</SubjectAttributeDesignator>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC