OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Review of 6. Context Syntax section

  • 1.  [xacml] Review of 6. Context Syntax section

    Posted 08-20-2002 18:54
    I have attached an editted version of the section, containing numerous grammatical, explanatory, and consistency changes that I do not think are controversial. Following are some Change Requests representing substantive issues I encountered in this section. Change Request 1: Add mandatory action-id attribute Create a reserved attribute identifier "urn:oasis:names:tc:xacml:1.0:action:action-id". Make inclusion of an <Attribute> with AttributeId of this identifier mandatory under the <Action> element of the <Request> context. Change minOccurs for <Attribute> under <Action> 1. Rationale: We had previously decided that <Action> would have a single string value that would be the action id. Now we need a specific AttributeId for this. This is consistent with the way resource-id is handled. It provides a consistent, interoperable way of specifying the action. The <DataType> of the <Attribute> can specify whether the action value is a string or URI. Change Request 2: Add optional action-namespace attribute Create a reserved attribute identifier "urn:oasis:names:tc:xacml:1.0:action:action-namespace". Make inclusion of an <Attribute> with AttributeId of this identifier optional under the <Action> element of the <Request> context. Rationale: We previously decided that an <Action> value might be associated with a specific namespace, and that an XML attribute was needed to express this. Change Request 3: Add optional action:implied-action identifier Create a reserved identifier "urn:oasis:names:tc:xacml:1.0:action:implied-action" to represent the value of an action that is implied by the <Resource> Rationale: We have agreed to this concept, but have not reserved an identifier for it. Change Request 4: Change <Result> ResourceURI attribute to ResourceId Rationale: Since the Request <Resource> identifier is now called resource-id, and can be of any data type, the <Result> should be consistent. Change Request 5: Add missing-attribute identifier for StatusCode Rationale: We have values for ok, processing-error, and syntax-error. Although we discussed the use case for missing attributes extensively, we have not defined a standard identifier for this status. Change Request 6: Make context Resource Attribute minoccurs=1 Current value is minOccurs=0 maxOccurs=unbounded. Change this to minOccurs=1 maxOccurs=unbounded. Rationale: Since Resource MUST contain a resource-id attribute, minimum value should be 1. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 Attachment: ContextSyntax.doc Description: Editted Section 6. Context Syntax