I propose that the "occurs" requirements on the following elements (from v0.13b.xsd) be changed. Note that the default for both minOccurs and maxOccurs is "1". PolicySetStatementType element <policySet> Now: maxOccurs="unbounded" Proposed: default Why: a <policySet> can contain multiple policy statements or policy set statements, but why should a single PolicySetStatement contain more than one <policySet>? Same argument applies to <ruleSet> in a policy statement. PolicySetStatementType element <target> Now: default Proposed: minOccurs="0" Why: if PolicySetStatement applies to ALL targets, then it would be simpler to allow <target> to be omitted, and have missing <target> have the semantic "matches all targets". PolicyStatementType element <target> Now: default Proposed: minOccurs="0" Why: if PolicyStatement applies to ALL targets, then it would be simpler to allow <target> to be omitted, and have missing <target> have the semantic "matches all targets". PolicyStatementType element <ruleSet> Now: maxOccurs="unbounded" Proposed: default Why: a <ruleSet> can contain multiple rules, but why should a PolicyStatement contain more than one <ruleSet>? There are no attributes or other information in a <ruleSet> that might be different from one collection to another. TargetType element <subjects> Now: default Proposed: minOccurs="0" Why: if the <target> applies to ALL subjects, it would be simpler to allow <subjects> to be omitted, and have missing <subjects> have the semantic "matches all subjects". Note that SubjectsType currently requires at least one Attribute, so there is currently no way to omit all subjects. TargetType element <resources> Now: default Proposed: minOccurs="0" Why: if the <target> applies to ALL resources, it would be simpler to allow <resources> to be omitted, and have missing <resources> have the semantic "matches all resources". Note that ResourcesType currently requires at least one Attribute, so there is currently no way to omit all resources. TargetType element <actions> Now: default Proposed: minOccurs="0" Why: if the <target> applies to ALL actions, it would be simpler to allow <actions> to be omitted, and have missing <actions> have the semantic "matches all actions". Note that ActionsType currently requires at least one Action, so there is currently no way to omit all actions. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692