OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] [CR] Target Match Semantics Section 4 & 5

  • 1.  [xacml] [CR] Target Match Semantics Section 4 & 5

    Posted 08-28-2002 17:46
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] [CR] Target Match Semantics Section 4 & 5


    
    Greetings,
    
    The semantics for the Target need to be updated. It doesn't seem to
    describe how "Match" or "No-Match" are derived at. The document mentions
    logical-AND and logical-OR, and they are not defined for Match and
    No-Match. Also, we need to resolve the discovery and issue of the
    inconsistency between the evaluation of Target and Condition with respect
    to Indeterminate and NotApplicable, now that we are making progress on the
    "functions" document.
    
    I feel that if we refer to the Target evaluations with the same semantics
    as Condition, we can leverage the use of True, False, and Indeterminate
    that we have already defined, and then we can use the notions of
    conjunctive sequence and disjunctive sequence as combinators of our
    boolean values (true, false, indeterminate) with the normative
    specifications of our functions "function:and" and "function:or" for the
    combining rules. This will take care of the normative handling of error
    conditions in the evaluation logic.
    
    When the XACML Data Types, Functions, and Semantics gets put in the
    document, I suggest making the following changes. Some changes are
    editorial.
    
    Note: There is some issue about <Target> and <Condition> of where they say
    that they possible to be "empty", but I'm not sure if that means "omitted"
    (i.e. minOccurs="0"), or <Target/>, or <Condition/>.
    
    Cheers,
    -Polar
    
    
    4.3.1 Rule
    
    I suggest changing the list to the order of
    
    o  a Target,
    o  a Condition, and
    o  an Effect
    
    to keep consistent with the description of the model and the rule
    evaluation semantics. (effect was before condition).
    
    4.3.1.1 Rule Target
    
    [Change the following:]
    If the rule is intended to apply to all entities of a particular type,
    then an empty element named <AnySubject/>, <AnyResource/> or <AnyAction/>
    is used.
    
    [should be:]
    
    If the rule is intended to apply to all entities of a particular type,
    then an empty element named <AnySubject/>, <AnyResource/> and <AnyAction/>
    is used, or the <Target> element is completely omitted.
    
    Add the following:
    
    ---
    The evaluation of the <Target> evaluates each of the <Subjects>,
    <Resources>, and <Actions> elements as specified. These results are
    combined as if the "function:and" were applied to them. Therefore, the
    result of the <target> evaluation is "true", "false", or "indeterminate".
    The <AnySubject/>, <AnyResource/>, and <AnyAction/> are each
    considered vacuously "true".
    ---
    
    4.3.1.3 Condition
    
    I think we need a different description:
    
    Change
    ---
    Condition is a general expression of predicates of attributes.  It should
    not duplicate the exact predicates implied by the target.  Therefore, it
    may be empty.
    ---
    to
    --
    <Condition> is a boolean expression that refines the applicability of the
    rule beyond the predicates implied by the target.  In the case where
    <Condition> is not present in the rule, it is considered vacuously "true".
    
    A <Condition> should not duplicate the predicates implied by the <Target>,
    with the exception that both the <Target> specifies any subject, resource,
    and action, and the <Condition> is not present.
    --
    
    4.3.1.4 Rule evaluation
    
    A rule has a value that can be calculated by evaluating its contents.
    Rule evaluation involves separate evaluation of the rule's target and
    condition. The result of rule's target and condition are evaluated as if
    the "function:and" were applied to both results.
    
    The rule truth table is shown in Table 1.
    
    Target        Condition         Rule
    True           True             Effect
    True           False            Not Applicable
    True           Indeterminate    Indeterminate
    False          True             Not Applicable
    False          False            Not Applicable
    False          Indeterminate    Indeterminate
    Indeterminate  True             Indeterminate
    Indeterminate  False            Indeterminate
    Indeterminate  Indeterminate    Indeterminate
    
    	Table 1 - Rule truth table
    
    [The subsequent 2 paragraphs after the table are no longer true, and
    should be removed.]
    
    Section 5 (NORMATIVE)
    
    [Since this section is normative, I suggest that we define "disjunctive"
    sequence" and "conjunctive sequence" for use throughout the section. Add
    the following:]
    
    In this section the policy syntax and its evaluation semantics are
    described. This section uses the following terminology:
    
    A "disjunctive sequence" is a sequence of boolean elements that are
    combined using the semantics of the "function:or" XACML standard function.
    
    A "conjunctive sequence" is a sequence of boolean elements that are
    combined using the semantics of the "function:and" XACML standard
    function.
    
    
    5.4 Target
    
    [Change the paragraph to:]
    
    For the purposes of matching, the <Subjects>, <Resources>, and <Actions>
    children of the <Target> element are evaluated as specified below, and
    the results are combined as a conjunctive sequence.
    
    The <Subjects>, <Resources>, <Actions> elements are considered each a
    disjunctive sequence of <Subject>, <Resource>, and <Action> elements
    respectively.
    
    Because the <Target> is effectively a conjunctive sequence of disjunctive
    sequences, for the parent of the <Target> element to be applicable to the
    decision request, at least one <Subject>, one <Resource>, and one <Action>
    MUST match the corresponding elements in the <xacml-context:Request>
    element.
    
    The <Target> element is of TargetType complex type.
    
     [and the rest is fine]
    
    5.5 Subject
    
    [ Change the first paragraph to: ]
    
    The <Subjects> element is a child of the <Target> element and is a wrapper
    for the disjunctive sequence of <Subject> elements.  The <Subjects>
    element is combined as a conjunctive sequence with the other children of
    the <Target> element.
    
    5.6 Element Subject
    
    [Remove the Note about conjunctive sequence]
    
    
    5.8 Element Resources
    
    [Change the first paragraph to: ]
    
    The <Resources> element is a child of the <Target> element and is a
    wrapper for the disjunctive sequence of <Resource> elements.  The
    <Resources> element is combined as a conjunctive sequence with the other
    children of the <Target> element.
    
    5.11 Element Actions
    
    [ Change first paragraph to: ]
    
    The <Actions> element is a child of the <Target> element and is a wrapper
    for the disjunctive sequence of the <Action> elements.  The <Actions>
    element is combined as a conjunctive sequence with the other children of
    the <Target> element.
    
    5.17 Element Rule
    
    [Make the following change ^^^^^^^ function->expression]
    
    <Condition> [optional]
    A predicate that MUST be satisfied for the rule to be assigned its Effect
    value.  A condition is a boolean function over a combination of subject,
                                     ^^^^^^^^
                                     expression
    resource and environment attributes or other functions.
    
      [[QUESTION: Shouldn't the rule evaluation table go here
                 in the normative  part?]]
    
    5.19.Element <Condition>
    
    The <Condition> element is a boolean function over subject, resource,
                                         ^^^^^^^^
                                         expression
    action and environment attributes or functions of attributes.  If the
    <Condition> element evaluates to "True", then the enclosing <Rule> element
    is assigned its Effect value.
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC