OASIS eXtensible Access Control Markup Language (XACML) TC

Document Name : XACML MAP Authorization Profile WD2 Description This is the second draft of the XACML MAP Authorization Profile. The following updates have been made:

Updated to reflect changes in the TNC MAP Content Authorization v31 specification.
Added figure 2
Added definitions to Glossary,
Added Non-Normative Reference
Added subject task attribute
Added attribute examples
Removed resource delete-metadata-by-other-client attribute
Added resource purge-own-metadata attribute

The XACML MAP Authorization Profile is the result of the collaboration between the TCG TNC MAP working group and the OASIS XACML technical committee.

The TNC MAP provides access control to metadata and constrains which operations an IF-MAP client can perform. The TNC MAP authorization model defines the use of an XACML Policy Decision Point (PDP) when making MAP access control decisions. This profile describes attributes for such decisions between the MAP server and the XACML PDP. Download Latest Revision Public Download Link Submitter : Mr. Richard Hill Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2013-07-15 22:26:53 Revision : 0

Hi Richard, Here are some comments on WD2 of the MAP Authorization Profile. Line 51 - The word "for" is duplicated. Line 114-115 - XACML attributes must have at least one attribute value, so "or an empty bag" is not an option. Line 285-293 - The wording here is a bit clunky because it's not an attribute but a family of attributes being defined. Section 2.1.2 and 2.2.7 do it slightly better. "Example URN values for this attribute are" should read something like "Example URNs for the AttributeId of attributes in the Metadata-Attribute family are", otherwise it gives the impression that these are XACML attribute values. A number of resource attributes have the requirement that they "MUST be present in a decision request". This precludes them being provided by a PIP. Is this an acceptable restriction in the context of MAP ? If not, then "MUST be present in the request context" would be more lenient. Several of the attribute URNs in section 4.1 denote families of attribute identifiers but there's no indication of this except for urn:oasis:names:tc:xacml:3.0:if-map:content:resource:IDENTIFIER-TYPE:identifier-attribute:ATTR. The other extensible URNs should be shown in a similar fashion. Italicizing or otherwise distinguishing the extensible bits would be a good idea. Your list of committee members is out of date. Regards, Steven