OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Rule element

  • 1.  [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Rule element

    Posted 05-02-2003 09:54
    Proposed XACML 1.1 Solution for Obligations in Rule element
    
    Problem Description
    ===================
    
    XACML 1.0 allows a PolicySet and Policy to include Obligations
    element but does not allow a Rule to include it.
    Allowing Obligations element to Rules could make Policies shorter,
    particularly when each Rule has the identical target description
    but different condition expression. In more detail, please refer to
    http://lists.oasis-open.org/archives/xacml/200303/msg00006.html
    
    Proposal
    ========
    
    Allow XACML <Rule> elements to contains <Obligations> element.
    There is no need to define new schema or new schema type.
    
    <xs:element name="Rule" type="xacml:RuleType"/>
    <xs:complexType name="RuleType">
          <xs:sequence>
                <xs:element ref="xacml:Description" minOccurs="0"/>
                <xs:element ref="xacml:Target" minOccurs="0"/>
                <xs:element ref="xacml:Condition" minOccurs="0"/>
                <xs:element ref="xacml:Obligations" minOccurs="0"/>
          </xs:sequence>
          <xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
          <xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
    </xs:complexType>
    
    
    Discussion
    ==========
    
    XACML TC decided not to have obligations in rule element to avoid
    any extra complexity in the specification. Actually, allowing
    Obligations element in Rule does NOT generate more complexity.
    Moreover, there is no need to change the semantics. So, allowing
    obligations in rule element still keeps the spec the same complexity.
    
    The description of Section 7.11 only needs minimum
    modification such that text changes from "PolicySet and Policy may
    contain one or more obligations" to "PolicySet, Policy and Rule may
    contain one or more obligations".
    
    The description of combining algorithm needs a minimum addition
    like just inserting one line text "Obligations of the individual
    rules shall be combined as described in Section 7.11." before
    line 4637.
    
    Since the Obligations element is optional, this extension
    affects only implementations that supports obligations specified
    in the current XACML specification.
    
    There had been some discussion about insufficient description
    of the *-combining algorithm, but this extension is orthogonal
    to that argument.