OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  List of pending issues (backlog)?

    Posted 07-19-2023 23:54
    Hello all, I have (re)joined the XACML TC recently, and as I have a few issues to add to the TC’s “backlog” for later discussion, I am looking for a place in the TC workspace where you keep track of pending issues. Is there such a place? I’ve seen the “Wishlist” page on the wiki but seems quite old.   To give an idea, some issues of interest to me:   1)      Changes to XACML core spec: a.      Backward-compatible / non-breaking changes:                                                                 i.       Add <VariableRefence> as third choice in Target <Match> (in addition to AttributeDesignator, AttributeSelector)                                                             ii.       Add <VariableDefinition>s as optional elements in <PolicySet> and <Rule> (like in <Policy>)                                                          iii.       Support JsonPath evaluation in <AttributeDesignator>,  by adding optional attribute ‘contentType’ (for example) = ‘JSON’ or ‘XML’ (‘XML’ is the default value), to indicate whether the <Content> must be processed as ‘JSON’ object instead of XML, and the ‘Path’ handled as JsonPath according to this draft RFC: https://datatracker.ietf.org/doc/draft-ietf-jsonpath-base/ . For this one, it may be safer to wait it become an IETF standard. But it’s good to anticipate.   b.      Breaking/non-backward-compatible changes to XACML core spec, therefore to be considered rather for XACML 4.0:                                                                 i.       XSD simplification: replace Obligation/Advice(_expression_) elements with one PepAction(_expression_) element and a XML attribute required=’true’ (for Obligation) or ‘false’ (for Advice)   2)      New profiles: a.      YAML Profile of XACML: for writing XACML policies in YAML.   Kind regards, Cyril   From: xacml@lists.oasis-open.org < xacml@lists.oasis-open.org > On Behalf Of William Parducci Sent: mercredi 19 juillet 2023 00:54 To: XACML TC < xacml@lists.oasis-open.org > Subject: [xacml] Proposed Agenda 19 July, 2023 TC Meeting     Time: 4:30 PM EDT (UTC-4) Tel: 1-267-807-9601 Access Code: 620-103-760 Proposed agenda 25 May 2023 TC meeting I. Roll Call & Minutes  Approve Minutes 25 May 2023 TC Meeting    https://lists.oasis-open.org/archives/xacml/202305/msg00005.html II. Administrivia   Home Page clean-up     https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml    OASIS event announcements    https://lists.oasis-open.org/archives/xacml/202307/msg00000.html   III. Issues  Separation of Duties   b  


  • 2.  Re: [xacml] List of pending issues (backlog)?

    Posted 07-20-2023 23:52
    Note to everyone: Cyril's original message went to my spam folder and it seems to be a common experience. Mark it as not spam if you see the same thing. Hi Cyril, On 20/07/2023 9:53 am, DANGERVILLE Cyril wrote: Hello all, I have (re)joined the XACML TC recently, and as I have a few issues to add to the TC s backlog for later discussion, I am looking for a place in the TC workspace where you keep track of pending issues. Is there such a place? I ve seen the Wishlist page on the wiki but seems quite old. That page would be the place. We have been remiss in keeping it up to date. Feel free to refresh it. To give an idea, some issues of interest to me: 1)Changes to XACML core spec: a.Backward-compatible / non-breaking changes: i.Add <VariableRefence> as third choice in Target <Match> (in addition to AttributeDesignator, AttributeSelector) I would like to go further and let the Target have a full Expression. The difference between Target and Condition is supposedly to facilitate policy (set) indexing. However, I've found that some functions allowed in a target are impractical to index while many things allowed in a Condition, but not in a Target, are eminently indexable. I actually build indexes over both the Target and Condition so the difference between their expressiveness is more a hindrance than a help. ii.Add <VariableDefinition>s as optional elements in <PolicySet> and <Rule> (like in <Policy>) Yes for PolicySet. It does raise the question of the scope of the variable definition. Does it only apply to embedded policy sets, policies and rules, or does it also apply to referenced policy sets and policies? I don't mind whether rules have variable definitions. More generally I would like to have the option of variable definitions as free-floating global constructs that can be referenced from any rule, policy or policy set, perhaps with a top-level import statement in the rule, policy or policy set to signal the dependency and enable the referencing. iii.Support JsonPath evaluation in <AttributeDesignator>, by adding optional attribute contentType (for example) = JSON or XML ( XML is the default value), to indicate whether the <Content> must be processed as JSON object instead of XML, and the Path handled as JsonPath according to this draft RFC: https://datatracker.ietf.org/doc/draft-ietf-jsonpath-base/ < https://datatracker.ietf.org/doc/draft-ietf-jsonpath-base/ >. For this one, it may be safer to wait it become an IETF standard. But it s good to anticipate. Obviously you mean <AttributeSelector>. Since we now have a JSON profile, providing support for JSONPath makes sense. b.Breaking/non-backward-compatible changes to XACML core spec, therefore to be considered rather for XACML 4.0: i.XSD simplification: replace Obligation/Advice(Expression) elements with one PepAction(Expression) element and a XML attribute required= true (for Obligation) or false (for Advice) Yes. It would save duplicating code to process two things that are almost, but not quite, the same structure. It could be done in XACML 3.0 by adding an Optional attribute to Obligation and deprecating the use of Advice. 2)New profiles: a.YAML Profile of XACML: for writing XACML policies in YAML. I don't object to a YAML representation for policies, but I would prefer to see a JSON representation first (or at the same time). Regards, Steven Kind regards, Cyril *From:*xacml@lists.oasis-open.org < mailto:xacml@lists.oasis-open.org > <xacml@lists.oasis-open.org < mailto:xacml@lists.oasis-open.org >> *On Behalf Of *William Parducci *Sent:* mercredi 19 juillet 2023 00:54 *To:* XACML TC <xacml@lists.oasis-open.org < mailto:xacml@lists.oasis-open.org >> *Subject:* [xacml] Proposed Agenda 19 July, 2023 TC Meeting Time: 4:30 PM EDT (UTC-4) Tel: 1-267-807-9601 Access Code: 620-103-760 Proposed agenda 25 May 2023 TC meeting I. Roll Call & Minutes Approve Minutes 25 May 2023 TC Meeting https://lists.oasis-open.org/archives/xacml/202305/msg00005.html < https://lists.oasis-open.org/archives/xacml/202303/msg00004.html > II. Administrivia Home Page clean-up https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml < https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml > OASIS event announcements https://lists.oasis-open.org/archives/xacml/202307/msg00000.html < https://lists.oasis-open.org/archives/xacml/202307/msg00000.html > III. Issues Separation of Duties b