Predicates and predicate expressions with
context.
The only issue we have to clarify is the use of
attributes and attribute designators in predicates and predicate
expressions.
saml:Attribute will be replaced with
xacml:Attribute. That's all that needs to be done for
attributes.
Attribute designators require a little more work,
because attribute designator has to be explicit where it is pointing
to.
1) One way to do explicit pointing, is to have
distinct element declarations for subject-attribute-designator,
resource-attribute-designator, and other-attribute-designator. Each of these
designators will implicitely point to different portions of request context.
Advantage: simplicity.
2) Another way to do pointing is to declare one
attribute-designator element but include additional '@kind' attribute in it's type with
values (subject|resource|other). It is also simple, but I think (1) is better
xml.
3) Have 'selector' element that will use arbitrary
xpath expression to point into the context.
My preference is to have both (1) (simplicity) and
(3) (flexibility).
Here is a simplified version of xacml attribute
designator:
<xs:complexType
name="AttributeDesignatorType"> (4)
<xs:sequence> <xs:element
ref="xacml:Holder" minOccurs="0"/>
<xs:sequence> <xs:attribute name="AttributeName"
type="xs:string"/> <xs:attribute name="AttributeFamily"
type="xs:string"/> </xs:complexType>
Schema for (1): Separate designator
declarations <element name="SubjectAttributeDesignator"
type="xacml:AttributeDesignator"/> <element
name="ResourceAttributeDesignator"
type="xacml:AttributeDesignator"/> <element
name="OtherAttributeDesignator"
type="xacml:AttributeDesignator"/>
Schema for (2): @kind attribute in designator - (4)
extended with 1 attr <compexType
name="AttributeDesignator"> ... <attribute name="kind"
type="xacml:AttributeDesignatorKindType"/> </complexType>
Schema for (3): 'selector' with
xpath <complexType name="AttributeSelector">
<simpleContent> <extension
base="xs:string"/>
</simpleContent> </complexType>
Simon Godik
|