OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

AttributeAssignment clarification

  • 1.  AttributeAssignment clarification

    Posted 03-23-2004 18:33
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: AttributeAssignment clarification


    
    [I think I checked on this a while back, but now I can't find the
    message, so I'm checking again.]
    
    The AttributeAssignment tag in Obligation extends AttributeValue. This
    means that it's legal to say
    
      <AttributeAssignment DataType="...:integer"
                           AttributeId="foo">42</AttributeAssignment>
    
    and
    
      <AttributeAssignment DataType="...:string" AttributeId="foo">
        <AttributeValue DataType="...:string">hi</AttributeValue>
      </AttributeAssignment>
    
    Now, a PDP isn't supposed to understand the meaning of the contents of
    the assignment, but because the assignment _is_ an AttributeValue, the
    contents must be able to be parsed and handled as any other value. So, I
    believe that the first form I gave above is correct if you want to
    specify a simple value in an assignment, while the second form should
    only be used if you're specifying complex content for the PEP to
    process. Does that sound right to everyone?
    
    In other words, the DataType XML attribute in AttributeAssignment
    defines the type of the value inside the AttributeAssignment tags,
    exactly as AttributeValue is defined. If you want to then use complex
    content, like AttributeValue, SubjectAttributeDesignator, or anything
    else, then that's fine as long as it's legal by the assignment's
    DataType. By this reasoning, this
    
      <AttributeAssignment DataType="...:integer" AttributeId="foo">
        <AttributeValue DataType="...:integer">42</AttributeValue>
      </AttributeAssignment>
    
    is _illegal_ because the contents of the AttributeAssignment cannot be
    interpreted as an integer.
    
    
    seth
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]