OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

  • 1.  Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

    Posted 10-17-2002 17:20
     MHonArc v2.5.2 -->

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

    Subject: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

    This sentence means exactly what it says. If the the selector or
    designator evalutates to an empty bag, then there is no match, i.e. the
    match "predicate" is False.
    The match predicate is akin to asking, "Do you have one or more of any
    subject ids that match "john.*". If you have none, then False, if you have
    at least one, then True.
    This is a composition of three functions:  an Attribute Designator i.e.
    "Get me all subject ids", a match filter, i.e. "that match 'john.*', and a
    length predicate "length > 0".
    Regardless of the match filter, if you have zero elements to start with,
    you will end up with zero elements after you apply the match filter, and
    therefore, vacuously, you don't have a match.
    On Thu, 17 Oct 2002, Anne Anderson wrote:
    > ------- start of forwarded message -------
    > From: Seth Proctor <seth.proctor@sun.com>
    > After a careful re-read of section A.11, I've decided that most of the text
    > looks fine. The one sentence I've got problems with is in Paragraph 3, lines
    > 3459-3461:
    >   If the <AttributeDesignator> or <AttributeSelector> element evaluates
    >   to an empty bag, then the result of the expression SHALL be "False".
    > It seems to me that an empty bag only happens if you can't resolve a value
    > for the attribute in question...could this actually mean something else? The
    > only thing I could think of is an Attribute in the Request that matched but
    > had no AttributeValues in it (this strikes me as a wierd case, but since it's
    > allowed, this is possible). If this is the case being described, then this
    > should be explained so it's clear. If this is not the case, then isn't an
    > empty bag really an Indterminate case? There isn't much discussion elsewhere
    > about what exactly AD/AS objects are expected to return, so maybe more text
    > in section 5 would help clarify this situation.
    > I'm also a little uneasy about the language because it borders on defining
    > programming interfaces, but I don't want to propose alternate language until
    > I understand what's really being described here. What does this sentence mean?
    > seth
    > ------- end of forwarded message -------
    > ----------------------------------------------------------------
    > To subscribe or unsubscribe from this elist use the subscription
    > manager: <http://lists.oasis-open.org/ob/adm.pl>

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

    Powered by eList eXpress LLC