OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] [schema] Proposal for SubjectAttributeDesignator

  • 1.  [xacml] [schema] Proposal for SubjectAttributeDesignator

    Posted 08-12-2002 09:35
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] [schema] Proposal for SubjectAttributeDesignator


    
    As I posted a week ago, my preference w.r.t. the semantics for <Target>
    element is to specify <Subjects> and <Subject> in <Target> and do not allow
    recursive attribute designator in <Condition>.
    http://lists.oasis-open.org/archives/xacml/200208/msg00007.html
    
    A) Expression in Target element
    
    I repeat an example expression used in Anne's mail (a little complicated
    example though)
    >
    >1. at least one Subject has
    >   AttrA == A AND AttrB == B and AttrC == C
    >2. OR at least one Subject has
    >   AttrE == E
    >3. OR at least one Subject has
    >   AttrD == D
    
    Above expression is represented as follows:
    
    (1) Target expression
    
    <Target>
      <Subjects>  <!-- Symbol of the OR semantics on multiple subject -->
        <Subject> <!-- Symbol of the AND semantics on multiple SubjectMatch -->
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrA" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">A</AttributeValue>
          </SubjectAttributeDesignator>
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrB" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">B</AttributeValue>
          </SubjectAttributeDesignator>
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrC" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">C</AttributeValue>
          </SubjectAttributeDesignator>
        </Subject>
        <Subject>
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrE" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">E</AttributeValue>
          </SubjectAttributeDesignator>
        </Subject>
        <Subject>
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrD" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">D</AttributeValue>
          </SubjectAttributeDesignator>
        </Subject>
      </Subjects>
    </Target>
    
    
    <Subjects> and <Subject> might be mapped to function "OR" and "AND",
    respectively. The difference from the pure "OR" and "AND" function would be
    that <Subject> implies that a set of <SubjectMatch> condition must be
    satisfied in one <Subject> element in a request context, not in multiple
    <Subject> elements. In (2), I specify pseudo target expression using "OR"
    and "AND" for discussion later.
    
    (2) Pseudo Target expression
    
    <Target>
      <Function FunctionId="function:or"> <!-- this corresponds to Subjects -->
        <Function FunctionId="function:and"> <!-- this corresponds to Subject
    -->
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrA" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">A</AttributeValue>
          </SubjectAttributeDesignator>
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrB" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">B</AttributeValue>
          </SubjectAttributeDesignator>
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrC" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">C</AttributeValue>
          </SubjectAttributeDesignator>
        </Function>
        <Function FunctionId="function:and">
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrE" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">E</AttributeValue>
          </SubjectAttributeDesignator>
        </Function>
        <Function FunctionId="function:and">
          <SubjectMatch MatchId="string-match">
            <SubjectAttributeDesignator AttributeId="AttrD" DataType
    ="xs:string"/>
            <AttributeValue DataType="xs:string">D</AttributeValue>
          </SubjectAttributeDesignator>
        </Function>
      </Function>
    </Target>
    
    B) Expression in Condition element
    
    For the expression in <Condition> element, I would prefer Simon's <where>
    approach than recursive designator specification. But my preference is more
    generic approach. My idea is that <SubjectAttributeDesignator> allows
    <Function> element in it. It specifies any arbitrary logical expression.
    However, the semantics of its logical expression is "where" that is used to
    verify whether a subject element satisfying the designator really satisfies
    the expression below the designator element.
    
    The following <Condition> says "select attrX where (AttrA='A' & AttrB='B' &
    AttrC='C') | AttrE='E' | AttrD='D'), and is the value of attrX equal to
    'X'?".
    
    (3) Condition expression
    
    <Condition>
      <Function FunctionId="function:string-equal">
        <SubjectAttributeDesignator AttributeId="attrX" DataType="xs:string">
          <Function FunctionId="function:or"> <!-- From here, the expression is
    the same with (2) -->
            <Function FunctionId="function:and">
              <SubjectMatch MatchId="string-match">
                <SubjectAttributeDesignator AttributeId="AttrA" DataType
    ="xs:string"/>
                <AttributeValue DataType="xs:string">A</AttributeValue>
              </SubjectAttributeDesignator>
              <SubjectMatch MatchId="string-match">
                <SubjectAttributeDesignator AttributeId="AttrB" DataType
    ="xs:string"/>
                <AttributeValue DataType="xs:string">B</AttributeValue>
              </SubjectAttributeDesignator>
              <SubjectMatch MatchId="string-match">
                <SubjectAttributeDesignator AttributeId="AttrC" DataType
    ="xs:string"/>
                <AttributeValue DataType="xs:string">C</AttributeValue>
              </SubjectAttributeDesignator>
            </Function>
            <SubjectMatch MatchId="string-match">
              <SubjectAttributeDesignator AttributeId="AttrE" DataType
    ="xs:string"/>
              <AttributeValue DataType="xs:string">E</AttributeValue>
            </SubjectAttributeDesignator>
            <SubjectMatch MatchId="string-match">
              <SubjectAttributeDesignator AttributeId="AttrD" DataType
    ="xs:string"/>
              <AttributeValue DataType="xs:string">D</AttributeValue>
            </SubjectAttributeDesignator>
          </Function>
        </SubjectAttributeDesignator>
        <AttributeValue DataType="xs:string">X</AttributeValue>
      </Function>
    </Condition>
    
    The above syntax is the same with the syntax of (2). That is one of the
    advantage of this approach. Another advantage is that policy writers can
    specify any arbitarary logical expressions below
    <SubjectAttributeDesignator>.
    
    Michiharu Kudo
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
                                                                                                                                           
                          Anne Anderson                                                                                                    
                          <Anne.Anderson@Su        To:       XACML TC <xacml@lists.oasis-open.org>                                         
                          n.com>                   cc:                                                                                     
                                                   Subject:  [xacml] [schema] One two many OR levels in Target Subject?                    
                          2002/08/03 03:41                                                                                                 
                          Please respond to                                                                                                
                          Anne.Anderson                                                                                                    
                                                                                                                                           
                                                                                                                                           
    
    
    
    I think we MAY have defined one too many levels of OR in our
    Target Subject syntax.
    
    I believe the following example matches any Request in which
    1. at least one Subject has
       AttrA == A AND AttrB == B and AttrC == C
    2. OR at least one Subject has
       AttrE == E
    3. OR at least one Subject has
       AttrD == D
    
    But 1. and 2. are not at the same level as 3.
    
    <Target>
        <Subjects>
            <Subject>
                <SubjectMatch MatchId="string-match">
                    <SubjectAttributeDesignator AttributeId="AttrA"
                                                DataType="xs:string">
                        <SubjectMatch MatchId="string-match">
                            <SubjectAttributeDesignator
                                                AttributeId="AttrB"
                                                DataType="xs:string">
                                <SubjectMatch MatchId="string-match">
                                    <SubjectAttributeDesignator
                                                AttributeId="AttrC"
                                                DataType="xs:string">
                                        <AttributeValue
                                                DataType="xs:string">
                                            valueC
                                        </AttributeValue>
                                    </SubjectAttributeDesignator>
                                </SubjectMatch>
                                <AttributeValue DataType="xs:string">
                                    valueB
                                </AttributeValue>
                            </SubjectAttributeDesignator>
                        </SubjectMatch>
                        <AttributeValue DataType="xs:string">
                            valueA
                        </AttributeValue>
                    </SubjectAttributeDesignator>
                </SubjectMatch>
                <SubjectMatch MatchId="string-match">
                    <SubjectAttributeDesignator AttributeId="AttrE"
                                                DataType="xs:string">
                        <AttributeValue DataType="xs:string">
                            valueE
                        </AttributeValue>
                    </SubjectAttributeDesignator>
                </SubjectMatch>
            </Subject>
            <Subject>
                <SubjectMatch MatchId="string-match">
                    <SubjectAttributeDesignator AttributeId="AttrD"
                                                DataType="xs:string">
                        <AttributeValue DataType="xs:string">
                            valueD
                        </AttributeValue>
                    </SubjectAttributeDesignator>
                </SubjectMatch>
            </Subject>
        </Subjects>
        <Resources>
            <AnyResource/>
        </Resources>
        <Actions>
            <AnyAction/>
        </Actions>
    </Target>
    
    --
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    
    ----------------------------------------------------------------
    To subscribe or unsubscribe from this elist use the subscription
    manager: <http://lists.oasis-open.org/ob/adm.pl>
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC