I have modified Simon's proposed schemas according to my proposed ContextPrincipals definition. I have also made the following further changes based on comments from my group here and from the concalls. This has NOT been run through a validator. - SimplePrincipal is now just Principal. - ContextResource has been expanded to ContextResources, comparable to the expansion of Principal/ContextPrincipal to ContextPrincipals. I think Michiharu suggested that we may want to allow for multiple resources, and I think it is also a good idea. - I added a saml:IDType attribute to the RequestContext and the ResponseContext. This is so that a response decision can be matched against a specific request. - ContextActions is now an element under a Resource. If we ever expect to have multiple resources, we need to know which actions go with which resource, and this makes that association. - AttributeFamily is eliminated, and AttributeName is type="xs:anyURI". - Issuer, IssueInstant attributes are made optional. - AbstractPrincipal is eliminated. In its place, a PrincipalID element is defined to hold the ways of identifying a given principal, either in a Principal or in an Attribute. - HolderType is eliminated. It is now PrincipalID. Polar, I don't think we are ready to define ComplexPrincipalType. I left a place-holder for it, but I think it needs a lot more discussion. The sequence of role-identified Principals is an attempt to deal with what we know now. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 <!-- Title: Proposed Request and Response Context Schemas --> <!-- Version: 1.1, 02/06/04 (yy/mm/dd) --> <!-- Author: Anne Anderson --> <!-- Source: /home/aa74233/docs/XACML/SCCS/s.ReqRespContextSchema.txt --> <?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="
http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd" ; xmlns:xs="
http://www.w3.org/2001/XMLSchema" ; xmlns:ds="
http://www.w3.org/2000/09/xmldsig#" ; xmlns:xacml="
http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd" ; elementFormDefault="qualified" attributeFormDefault="unqualified"> <!-- --> <xs:element name="RequestContext" type="xacml:RequestContextType"/> <xs:complexType name="RequestContextType"> <xs:sequence> <xs:element ref="xacml:ContextPrincipals"/> <xs:element ref="xacml:ContextResources"/> <xs:element ref="xacml:ContextOther"/> </xs:sequence> <!-- IDType must be unique identifier --> <xs:attribute name="RequestID" type="saml:IDType" use="required"/> </xs:complexType> <!-- --> <xs:element name="ResponseContext" type="xacml:ResponseContextType"/> <xs:complexType name="ResponseContextType"> <xs:choice> <xs:element ref="xacml:Permit"/> <xs:element ref="xacml:Deny"/> <xs:element ref="xacml:Indeterminate"/> </xs:choice> <!-- RequestID must be copied from the request context for which this is the response. --> <xs:attribute name="RequestID" type="saml:IDType" use="required"/> </xs:complexType> <!-- --> <xs:element name="ContextPrincipals" type="xacml:ContextPrincipalsType"/> <xs:complexType name="ContextPrincipalsType"> <xs:choice> <!--xs:element ref="xacml:ComplexPrincipal" minOcurs="1" maxOccurs="1"/--> <xs:element ref="xacml:Principal" minOccurs="1" maxOccurs="unbounded"/> </xs:choice> </xs:complexType> <!-- --> <xs:element name="Principal" type="xacml:PrincipalType"/> <xs:complexType name="PrincipalType"> <xs:sequence> <xs:element ref="xacml:PrincipalID" minOccurs="0" maxOccurs="1"/> <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <!-- PrincipalType examples: j2se:CodeSource xacml:RequestingUser --> <xs:attribute name="PrincipalType" type="xs:anyURI" use="required"/> </xs:complexType> <!-- --> <!--xs:element name="ComplexPrincipal" type="xacml:ComplexPrincipalType"/--> <!--xs:complexType name="ComplexPrincipalType"--> <!-- Not yet defined: a relational tree structure of Principal --> <!--/xs:complexType--> <!-- --> <xs:element name="PrincipalID" type="xacml:PrincipalIDType"/> </xs:complexType name="PrincipalIDType"> <xs:choice> <xs:element ref="xacml:NameIdentifier"/> <!-- did we agree on the 'ds:key' here? --> <!--xs:element ref="ds:KeyInfo"/--> </xs:choice> </xs:complexType> <!-- --> <xs:element name="NameIdentifier" type="xacml:NameIdentifierType"/> <xs:complexType name="NameIdentifierType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="Format" type="xs:anyURI" use="required"/> <xs:attribute name="NameQualifier" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <!-- --> <xs:element name="AnyURI" type="xs:anyURI"/> <!-- --> <xs:element name="AttributeDesignator" type="xacml:AttributeDesignatorType"/> <xs:complexType name="AttributeDesignatorType"> <xs:sequence> <!-- Holder is the PrincipalID element value when Attribute is used in a Principal --> <xs:element ref="xacml:Holder" minOccurs="0"/> </xs:sequence> <xs:attribute name="AttributeName" type="xs:anyURI" use="required"/> <xs:attribute name="Issuer" type="xs:anyURI" use="optional"/> <xs:attribute name="IssueInstant" type="xs:dateTime" use="optional"/> <xs:attribute name="AttributeLocator" type="xs:string" use="optional"/> </xs:complexType> <!-- --> <xs:element name="Holder" type="xacml:PrincipalIDType"/> <!-- --> <xs:element name="Attribute" type="xacml:AttributeType"/> <xs:complexType name="AttributeType"> <xs:complexContent> <xs:extension base="xacml:AttributeDesignatorType"> <xs:sequence> <xs:element ref="xacml:AttributeValue"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="AttributeValue" type="xacml:AttributeValueType"/> <xs:complexType name="AttributeValueType"> <xs:sequence> <xs:any maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="ContextResources" type="xacml:ContextResourcesType"/> <xs:complexType name="ContextResourcesType"> <xs:choice> <!--xs:element ref="xacml:ComplexResource" minOcurs="1" maxOccurs="1"/--> <xs:element ref="xacml:Resource" minOccurs="1" maxOccurs="unbounded"/> </xs:choice> </xs:complexType> <!-- --> <xs:element name="Resource" type="xacml:ResourceType"/> <xs:complexType name="ResourceType"> <xs:sequence> <xs:element ref="xacml:ResourceSpecifier" maxOccurs="1"/> <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="xacml:Action" minOccurs="0" maxOccurs="unbounded"/> <xs: </xs:sequence> </xs:complexType> <!-- --> <!--xs:element name="ComplexResource" type="xacml:ComplexResourceType"/--> <!--xs:complexType name="ComplexResourceType"--> <!-- Not yet defined: a relational tree structure of Resource --> <!--/xs:complexType--> <!-- --> <xs:element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/> <xs:complexType name="ResourceSpecifierType"> <xs:sequence> <xs:element ref="xacml:ResourceContent" minOccurs="0"/> </xs:sequence> <xs:attribute name="ResourceURI" type="xs:anyURI" use="optional"/> </xs:complexType> <!-- --> <xs:element name="ResourceContent" type="xacml:ResourceContentType"/> <xs:complexType name="ResourceContentType"> <xs:sequence> <xs:any maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="Action" type="xs:string"/> <!-- --> <xs:element name="ContextOther" type="xacml:ContextOtherType"/> <xs:complexType name="ContextOtherType"> <xs:sequence> <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:complexType name="DecisionType"> <xs:attribute name="ResourceName" type="xs:anyURI"/> <xs:attribute name="Action" type="xs:anyURI"/> </xs:complexType> <!-- --> <xs:element name="Permit" type="xacml:EffectDecisionType"/> <xs:element name="Deny" type="xacml:EffectDecisionType"/> <xs:complexType name="EffectDecisionType"> <xs:complexContent> <xs:extension base="xacml:DecisionType"> <xs:sequence> <xs:element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="Obligation" type="xacml:ObligationType"/> <xs:complexType name="ObligationType"> <xs:sequence> <xs:any minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ObligationName" type="xs:anyURI"/> </xs:complexType> <!-- --> <xs:element name="Indeterminate" type="xacml:IndeterminateType"/> <xs:complexType name="IndeterminateType"> <xs:complexContent> <xs:extension base="xacml:DecisionType"> <xs:sequence> <xs:element ref="xacml:Advice" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- --> <xs:element name="Advice" type="xacml:AdviceType"/> <xs:complexType name="AdviceType"> <xs:sequence> <xs:any minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="AdviceName" type="xs:anyURI"/> </xs:complexType> </xs:schema>