OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

  • 1.  Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

    Posted 10-18-2002 11:36
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.


    On Fri, 18 Oct 2002, Anne Anderson wrote:
    
    > On 17 October, Polar Humenn writes: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.
    >  > This sentence means exactly what it says. If the the selector or
    >  > designator evalutates to an empty bag, then there is no match, i.e. the
    >  > match "predicate" is False.
    >
    > Isn't this in direct contradiction to your proposed text for
    > "7.4.2.2 Missing Attributes":
    >
    >     7.4.2.2 Missing Attributes
    >
    >     The PDP SHALL consider an attribute as missing if it
    >     evaluates an expression that requires at least one value to
    >     be present from an attribute designator or selector.
    
    No,
    
    This says if the PDP "evaluates an expression that requires at least one
    value to be present"
    
    Such an example would be
    
    <Apply FunctionId="string-one-and-only">
    	<AttributeDesignator
                 AttributeId="urn:...:name"
                 DataType="xs:string"/>
    </Apply>
    
    
    >     In this
    >     case, the expression evaluates to "indeterminate". The PDP
    >     may carry the missing attribute upward in its indeterminate
    >     value in accordance with the XACML evaluation strategy of the
    >     encompassing expressions, rules, policies, and policy
    >     sets. If the PDP evaluates its policy or policy set to
    >     Indeterminate with a missing attribute, the PDP MAY list the
    >     AttributeId and DataType of that attribute in the result as
    >     described in Section 7.5 "Authorization decision".  However,
    >     the PDP MAY choose not to issue such information due to
    >     security concerns.
    >
    > Anne
    > --
    > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    > Sun Microsystems Laboratories
    > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
    > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    >
    >
    > ----------------------------------------------------------------
    > To subscribe or unsubscribe from this elist use the subscription
    > manager: <http://lists.oasis-open.org/ob/adm.pl>
    >
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC