OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] predicates and predicate expr wihtin context

  • 1.  [xacml] predicates and predicate expr wihtin context

    Posted 05-20-2002 04:05
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] predicates and predicate expr wihtin context


    Predicates and predicate expressions with context.
     
    The only issue we have to clarify is the use of attributes and
    attribute designators in predicates and predicate expressions.
     
    saml:Attribute will be replaced with xacml:Attribute. That's all that
    needs to be done for attributes.
     
    Attribute designators require a little more work, because attribute
    designator has to be explicit where it is pointing to.
     
    1) One way to do explicit pointing, is to have distinct element declarations
    for subject-attribute-designator, resource-attribute-designator, and
    other-attribute-designator. Each of these designators will implicitely
    point to different portions of request context. Advantage: simplicity.
     
    2) Another way to do pointing is to declare one attribute-designator
    element but include additional '@kind' attribute in it's type with values
    (subject|resource|other). It is also simple, but I think (1) is better xml.
     
    3) Have 'selector' element that will use arbitrary xpath expression to point
    into the context.
     
    My preference is to have both (1) (simplicity) and (3) (flexibility).
     
    Here is a simplified version of xacml attribute designator:
     
    <xs:complexType name="AttributeDesignatorType"> (4)
       <xs:sequence>
          <xs:element ref="xacml:Holder" minOccurs="0"/>
       <xs:sequence>
       <xs:attribute name="AttributeName" type="xs:string"/>
       <xs:attribute name="AttributeFamily" type="xs:string"/>
    </xs:complexType>
     
    Schema for (1): Separate designator declarations
    <element name="SubjectAttributeDesignator" type="xacml:AttributeDesignator"/>
    <element name="ResourceAttributeDesignator" type="xacml:AttributeDesignator"/>
    <element name="OtherAttributeDesignator" type="xacml:AttributeDesignator"/>
     
    Use:
    <Rule Ruleid="urn:rule1">
       ....
       <Conditions>
          <greater>
             <SubjectAttributeDesignator AttributeName="RequestedMembershipLevel"
                AttributeFamily="www.oasis-open.org/catalyst2002/attributes"/>
             <SubjectAttributeDesignator AttributeName="MembershipLevel"
                AttributeFamily="www.oasis-open.org/catalyst2002/attributes"/>
          </greater>
       </Conditions>
    </xacml:Rule>
     
    Schema for (2): @kind attribute in designator - (4) extended with 1 attr
    <compexType name="AttributeDesignator">
    ...
       <attribute name="kind" type="xacml:AttributeDesignatorKindType"/>
    </complexType>
     
    Use:
    <Rule Ruleid="urn:rule1">
       ....
       <Conditions>
          <greater>
             <AttributeDesignator
                 kind="subject" AttributeName="RequestedMembershipLevel"
                 AttributeFamily="www.oasis-open.org/catalyst2002/attributes"/>
             <AttributeDesignator
                kind="subject" AttributeName="MembershipLevel"
                AttributeFamily="www.oasis-open.org/catalyst2002/attributes"/>
          </greater>
       </Conditions>
    </xacml:Rule>
     
    Schema for (3): 'selector' with xpath
    <complexType name="AttributeSelector">
       <simpleContent>
          <extension base="xs:string"/>
       </simpleContent>
    </complexType>
     
    Use:
    <Rule Ruleid="urn:rule1">
       ...
       <Conditions>
          <greater>
             <AttributeSelector xmlns:x="www.oasis-open.org/xacml">
                /x:RequestContext/x:ContextSubject/Attribute
                [@AttributeName="RequestedMembershipLevel]
                [@AttributeFamily="www.oasis-open.org/catalyst2002/attributes"]
             </AttributeSelector>
             <AttributeSelector xmlns:x="www.oasis-open.org/xacml">
                /x:RequestContext/x:ContextSubject/Attribute
                [@AttributeName="MembershipLevel]
                [@AttributeFamily="www.oasis-open.org/catalyst2002/attributes"]
             </AttributeSelector>
          </greater>
       </Conditions>
    </Rule>
     
    Simon Godik
     


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC