OASIS eXtensible Access Control Markup Language (XACML) TC

Last Thursday I promised to propose a scheme asking for multiple decisions in a single request. It was agreed that a request could specify arbitrary combinations of attribute categories (with no duplicates), but that the actual attribute values would only be specified once. The scheme would not require the entire cross product of all combinations to be used, but rather specific combinations could be specified.

After thinking about it for a bit, I concluded the following.

1. I would propose a prefix of lists of items to be used in decisions as we previously discussed. This list uses references to XML Id Attributes to indicate which set of attributes to use.

2. Since all categories could be specified (not just Resource and Action), it would be too confusing to allow for the cross product of the duplicate category types in each list to be specified. Instead I am proposing lists of exactly the attribute category values from which a virtual request context for each decision is constructed.

3. The prior scheme of echoing back selected attribute values to correlate requests and responses would become too cumbersome and potentially ambiguous. Instead, I am proposing the an arbitrary string label on each decision list (specifically an XML attribute called CorrelationId) be used for this purpose.

4. It seems to me that it might be a good idea to retain the Multi-Resource Profile in much the same form as in 2.0 and define a totally new Multi-Decision Profile using this scheme.

Here is roughly how this new style of request would look.




Let's discuss this on the call and then I can proceed to define Schema and text.

Hal

Hi Hal,

I think this looks good.

I think it is a good idea to separate this functionality from the old 
multiple resource. I'm not sure if we need a separate document for it. A 
separate chapter in the existing profile might be good enough. We 
already have several modes of multiple requests there.

I think the 

[comments inline]

> 

                                                

					
                                                    

        
                                                
				
                                                

                                                    
                                                        
                                                        Original Message
                                                
                                                Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com]
> Sent: Wednesday, January 14, 2009 9:48 AM
> To: hal.lockhart@oracle.com
> Cc: xacml@lists.oasis-open.org
> Subject: Re: [xacml] Multiple Decison Request Proposal
> 
> Hi Hal,
> 
> I think this looks good.
> 
> I think it is a good idea to separate this functionality from the old
> multiple resource. I'm not sure if we need a separate document for it. A
> separate chapter in the existing profile might be good enough. We
> already have several modes of multiple requests there.

Agreed.

> 
> I think the 

Hi Hal,

>> I think the 

> >> I think the 

  


Hi Hal and Erik,


I agree w the overall thrust of this profile effort and I think Hal's
original suggestion of having a prefix element, <DecisionLists>,
conceptually is not inconsistent with the existing multi-resource
profile, because in theory, I believe that the existing multi-resource
profile violates the notion of a "simple core schema", because it
already requires external pre-processing of the request in order to
only pass one resource at a time to the PDP.


This was an issue that caused me some problems understanding exactly
what the "core schema" was, however, the discussion earlier with Erik,
I think clarified that situation better, namely that each Attributes
element in a "regular XACML request" must have a different Category;
i.e. in a single XACML request to be processed by the rules in the core
spec, there may not be more than one <Attributes> element with
the same Attributes@Category xml attribute.


As a result, this forces even the existing multi-resource profile into
a "pre-processor" unspecified domain.


The Subject Inconsistencies issue was related to this in that extending
the multi-profile to include Subject as well as Action, Environment,
and Resource, was problematic because Subject inherently had multiple
Categories already, and for 2.0 that was ok, because there was no
multi-subject and these subjects never got broken up. However, the 3.0
multi-profile breaks that, and as was discussed, maybe it's not all
that bad if people understand it and choose how they want to do this.


However, Hal's proposal, can easily include cross-products of arbitrary
complexity by simply including multiple <ListReference> elements
that point to <Attributes> elements with the same @Category. For
example:


 <DecisionList CorrelationId="FirstDecision">

  <ListReference URI="Sub1"/> 

  <ListReference URI="Env"/>

  <ListReference URI="Res1"/>

  <ListReference URI="Res2"/>

  <ActionReference URI="Act1"/>

  <ActionReference URI="Act2"/>

</DecisionList>


would result in 4 requests issued to the pdp for (R1,A1), (R1,A2),
(R2,A1), (R2,A2).

This approach would contain everything for existing cross-product 2.0
and 3.0 profiles, as well as more specific pruning of the request lists
w singleton <DecisionList> elements.


    Thanks,

    Rich




Hal Lockhart wrote:

  

    

      

        
I think the <Request> element should be called something else, and this
could have its own schema. Maybe "<MultiRequest>"?


        
      
      
<Request> is the existing outer element of a Request context. My notion
      
    
    
is that <DecisionsLists> is an optional element which appears prior to the
first <Attributes> element.
    
    
Yes, but I thought that it would perhaps be better to not put this
boxcarring stuff into the core schema, but in it's own schema. I think
it would be neater if we have a "simple" core schema which defines the
processing model. Additional preprocessing and transport formats would
go into another schemas.

But I don't feel too strongly about it, and importing schema files can
be a bit of an annoyance to work with given the current state of XML
parsers.
    
  
  

First of all as I have said several times, I only see this feature as being important when a remote PDP is used. (In fact I don't think an imbedded PDP should be using an XML Request Context at all.)

Given that, I have no strong preference for how we deal with the schemas. I would like to hear from implementers on this issue.

Hal


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

  

Rich's recent comment (which I agree with) drew my attention to a mistake I made in my original message.

It was my intention that all the elements within 

On the last call I agreed we should drop the idea of an XML Attribute called CorrelationId as a means to correlate requests and responses. The idea discussed on the call was to use the previously proposed scheme of marking selected XACML Attributes with the XML Attribute "IncludeInResponse", thus causing the PDP to echo back their values in the Response.

I expressed concerned about the fact that, especially when specifying subjects, there might be no attribute present which uniquely identifies an entity. Eric suggested that if necessary the PEP could provide "synthetic" XACML Attributes which would not be referenced by policy, but could be used to perform correlation.

After thinking about this further, I think there is still a problem.  Suppose we have two subjects Jack and Jill. Jill is a Doctor and Jack is a Nurse. Suppose we want to test access in 2 cases, with each as Access Subject (AS) and the other as Recipient Subject (RS) categories, holding Env, Resource and Action constant. In other words, the cases are:

AS=Jack Role=Nurse
RS=Jill Role=Doctor
Env
Res
Act

AS=Jill Role=Doctor
RS=Jack Role=Nurse
Env
Res
Act

Obviously if we simply ask to have Role (Doctor or Nurse) returned, we will not be able to distinguish between the two cases above. However even if we add a synthetic attribute, such as Name (Jack or Jill), we still cannot distinguish the two cases. (since order has no significance) What is required is that the synthetic attribute values also reflect the subject category. (Or more generally the category, since XACML does not rule out the possibility that different categories may share the same attributes)

So if we add a name Attribute to the 

Hi Hal,

The IncludeInResult returns also the attribute category, so what you
describe is not an issue. See the example below.

Best regards,
Erik

   2 


Hal Lockhart wrote:
> On the last call I agreed we should drop the idea of an XML Attribute called CorrelationId as a means to correlate requests and responses. The idea discussed on the call was to use the previously proposed scheme of marking selected XACML Attributes with the XML Attribute "IncludeInResponse", thus causing the PDP to echo back their values in the Response.
>
> I expressed concerned about the fact that, especially when specifying subjects, there might be no attribute present which uniquely identifies an entity. Eric suggested that if necessary the PEP could provide "synthetic" XACML Attributes which would not be referenced by policy, but could be used to perform correlation.
>
> After thinking about this further, I think there is still a problem.  Suppose we have two subjects Jack and Jill. Jill is a Doctor and Jack is a Nurse. Suppose we want to test access in 2 cases, with each as Access Subject (AS) and the other as Recipient Subject (RS) categories, holding Env, Resource and Action constant. In other words, the cases are:
>
> AS=Jack Role=Nurse
> RS=Jill Role=Doctor
> Env
> Res
> Act
>
> AS=Jill Role=Doctor
> RS=Jack Role=Nurse
> Env
> Res
> Act
>
> Obviously if we simply ask to have Role (Doctor or Nurse) returned, we will not be able to distinguish between the two cases above. However even if we add a synthetic attribute, such as Name (Jack or Jill), we still cannot distinguish the two cases. (since order has no significance) What is required is that the synthetic attribute values also reflect the subject category. (Or more generally the category, since XACML does not rule out the possibility that different categories may share the same attributes)
>
> So if we add a name Attribute to the 

  


Hi Erik,


I still believe there is potential ambiguity if there are multiple
Resource (or other) elements w same resource-id but different
accompanying attributes. For example you might want to test what
decisions come back based on varying sets of attrs accompanying the
same resource-id.


The point is that the combination of category and any contained
attribute values is not guaranteed to be unique in a multi-request.


I think the only way to guarantee uniqueness is to assign unique
identifiers to each instance of an Attributes element with common
CategoryId in a given request and return these identifiers in the
response generated from the decision where the instance was used.


    Thanks,

    Rich



Erik Rissanen wrote:
49780C54.7050406@axiomatics.com" type="cite">
  
Hi Hal,

The IncludeInResult returns also the attribute category, so what you
describe is not an issue. See the example below.

Best regards,
Erik

   2 <xacml-ctx:Response
xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-06">
   3   <xacml-ctx:Result>
   4     <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
   5     <xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
   6       <xacml-ctx:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
IncludeInResult="true">
   7         <xacml-ctx:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/MargeSimpson</xacml-ctx:AttributeValue>
   8       </xacml-ctx:Attribute>
   9     </xacml-ctx:Attributes>
  10     <xacml-ctx:Status>
  11       <xacml-ctx:StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
  12     </xacml-ctx:Status>
  13   </xacml-ctx:Result>
  14   <xacml-ctx:Result>
  15     <xacml-ctx:Decision>NotApplicable</xacml-ctx:Decision>
  16     <xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  17       <xacml-ctx:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
IncludeInResult="true">
  18         <xacml-ctx:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/LisaSimpson</xacml-ctx:AttributeValue>
  19       </xacml-ctx:Attribute>
  20     </xacml-ctx:Attributes>
  21     <xacml-ctx:Status>
  22       <xacml-ctx:StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
  23     </xacml-ctx:Status>
  24   </xacml-ctx:Result>
  25   <xacml-ctx:Result>
  26     <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
  27     <xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  28       <xacml-ctx:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
IncludeInResult="true">
  29         <xacml-ctx:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/HomerSimpson</xacml-ctx:AttributeValue>
  30       </xacml-ctx:Attribute>
  31     </xacml-ctx:Attributes>
  32     <xacml-ctx:Status>
  33       <xacml-ctx:StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
  34     </xacml-ctx:Status>
  35   </xacml-ctx:Result>
  36   <xacml-ctx:Result>
  37     <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
  38     <xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  39       <xacml-ctx:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
IncludeInResult="true">
  40         <xacml-ctx:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</xacml-ctx:AttributeValue>
  41       </xacml-ctx:Attribute>
  42     </xacml-ctx:Attributes>
  43     <xacml-ctx:Status>
  44       <xacml-ctx:StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
  45     </xacml-ctx:Status>
  46   </xacml-ctx:Result>
  47   <xacml-ctx:Result>
  48     <xacml-ctx:Decision>NotApplicable</xacml-ctx:Decision>
  49     <xacml-ctx:Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  50       <xacml-ctx:Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
IncludeInResult="true">
  51         <xacml-ctx:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/MaggieSimpson</xacml-ctx:AttributeValue>
  52       </xacml-ctx:Attribute>
  53     </xacml-ctx:Attributes>
  54     <xacml-ctx:Status>
  55       <xacml-ctx:StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
  56     </xacml-ctx:Status>
  57   </xacml-ctx:Result>
  58 </xacml-ctx:Response>


Hal Lockhart wrote:
  
  

    
On the last call I agreed we should drop the idea of an XML Attribute called CorrelationId as a means to correlate requests and responses. The idea discussed on the call was to use the previously proposed scheme of marking selected XACML Attributes with the XML Attribute "IncludeInResponse", thus causing the PDP to echo back their values in the Response.

I expressed concerned about the fact that, especially when specifying subjects, there might be no attribute present which uniquely identifies an entity. Eric suggested that if necessary the PEP could provide "synthetic" XACML Attributes which would not be referenced by policy, but could be used to perform correlation.

After thinking about this further, I think there is still a problem.  Suppose we have two subjects Jack and Jill. Jill is a Doctor and Jack is a Nurse. Suppose we want to test access in 2 cases, with each as Access Subject (AS) and the other as Recipient Subject (RS) categories, holding Env, Resource and Action constant. In other words, the cases are:

AS=Jack Role=Nurse
RS=Jill Role=Doctor
Env
Res
Act

AS=Jill Role=Doctor
RS=Jack Role=Nurse
Env
Res
Act

Obviously if we simply ask to have Role (Doctor or Nurse) returned, we will not be able to distinguish between the two cases above. However even if we add a synthetic attribute, such as Name (Jack or Jill), we still cannot distinguish the two cases. (since order has no significance) What is required is that the synthetic attribute values also reflect the subject category. (Or more generally the category, since XACML does not rule out the possibility that different categories may share the same attributes)

So if we add a name Attribute to the <Attributes> elements, we must chose values like "Jack-AS", " Jack-RS", "Jill-AS", "Jill-RS", so we can distinguish the cases. I have also found a number of cases where technically there is no ambiguity in correlating the responses to the requests, but in practice the processing will be greatly simplified by using synthetic attributes with judiciously chosen values.

My conclusion is that the scheme we agreed on during the meeting is workable, but we need to include text which discusses the issues concerning unambiguous and efficient correlation.

Please tell me if my analysis is correct or if there are other problematic cases I have not considered.

Hal

  
    
    

      


                                                

					
                                                    

        
                                                
				
                                                

                                                    
                                                        
                                                        Original Message
                                                
                                                Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@oracle.com]
Sent: Thursday, January 15, 2009 9:30 AM
To: hal.lockhart@oracle.com; xacml@lists.oasis-open.org
Subject: RE: [xacml] Multiple Decison Request Proposal

Rich's recent comment (which I agree with) drew my attention to a mistake
I made in my original message.

It was my intention that all the elements within <DecisionList> be the
same, i.e. <ListReference>. Because of an editing error, one of them is
<ActionReference> in the example.

Hal

    
      
      

        

Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@oracle.com]
Sent: Wednesday, January 14, 2009 1:12 AM
To: xacml@lists.oasis-open.org
Subject: [xacml] Multiple Decison Request Proposal

Last Thursday I promised to propose a scheme asking for multiple
      
        
      
      
decisions
    
      
      

        
in a single request. It was agreed that a request could specify
      
        
      
      
arbitrary
    
      
      

        
combinations of attribute categories (with no duplicates), but that the
actual attribute values would only be specified once. The scheme would
      
        
      
      
not
    
      
      

        
require the entire cross product of all combinations to be used, but
rather specific combinations could be specified.

After thinking about it for a bit, I concluded the following.

1. I would propose a prefix of lists of items to be used in decisions as
we previously discussed. This list uses references to XML Id Attributes
      
        
      
      
to
    
      
      

        
indicate which set of attributes to use.

2. Since all categories could be specified (not just Resource and
      
        
      
      
Action),
    
      
      

        
it would be too confusing to allow for the cross product of the
      
        
      
      
duplicate
    
      
      

        
category types in each list to be specified. Instead I am proposing
      
        
      
      
lists
    
      
      

        
of exactly the attribute category values from which a virtual request
context for each decision is constructed.

3. The prior scheme of echoing back selected attribute values to
      
        
      
      
correlate
    
      
      

        
requests and responses would become too cumbersome and potentially
ambiguous. Instead, I am proposing the an arbitrary string label on each
decision list (specifically an XML attribute called CorrelationId) be
      
        
      
      
used
    
      
      

        
for this purpose.

4. It seems to me that it might be a good idea to retain the Multi-
Resource Profile in much the same form as in 2.0 and define a totally
      
        
      
      
new
    
      
      

        
Multi-Decision Profile using this scheme.

Here is roughly how this new style of request would look.


<Request>

  <DecisionLists>

    <DecisionList CorrelationId="FirstDecision">

        <ListReference URI="Sub1"/>

        <ListReference URI="Env"/>

        <ListReference URI="Res1"/>

        <ActionReference URI="Act1"/>


    </DecisionList>


    <DecisionList CorrelationId="SecondDecision">

        <ListReference URI="Sub1"/>

        <ListReference URI="Sub2"/>

        <ListReference URI="Env"/>

        <ListReference URI="Res2"/>

        <ListReference URI="Act2"/>

    </DecisionList>


    <DecisionList CorrelationId="ThirdDecision">

        <ListReference URI="Sub3"/>

        <ListReference URI="Env"/>

        <ListReference URI="Res1"/>

        <ListReference URI="Act2"/>

    </DecisionList>


    <DecisionList ... >
    ...

    </DecisionList>


  </DecisionLists>


    <Attributes Category="Access_Subject" XML:Id="Sub1">

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

    </Attributes>

    <Attributes Category="Intemediary_Subject" XML:Id="Sub2">

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

    </Attributes>


    <Attributes Category="Intemediary_Subject" XML:Id="Sub3">

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

    </Attributes>

   <Attributes Category="Environment" XML:Id="Env">

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

    </Attributes>

    <Attributes Category="Resource" XML:Id="Res1">

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

    </Attributes>


    <Attributes Category="Resource" XML:Id="Res2">

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

    </Attributes>

    <Attributes Category="Action" XML:Id="Act1">

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

    </Attributes>

    <Attributes Category="Action" XML:Id="Act2">

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

      <Attribute>
      ...
      </Attribute>

    </Attributes>


...


</Request>

Let's discuss this on the call and then I can proceed to define Schema
      
        
      
      
and
    
      
      

        
text.

Hal


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

      
        
      
      
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

    
      
    
    
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

  
    
  
  


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

  

Hi Rich,

Yes, but this is where we discussed the "artificial" attributes. Like this:



It should work, though it's more verbose than using an id for the 
attributes element. It's also more general, but I'm not sure what that 
is worth.

Best regards,
Erik

Rich.Levinson wrote:
> Hi Erik,
>
> I still believe there is potential ambiguity if there are multiple 
> Resource (or other) elements w same resource-id but different 
> accompanying attributes. For example you might want to test what 
> decisions come back based on varying sets of attrs accompanying the 
> same resource-id.
>
> The point is that the combination of category and any contained 
> attribute values is not guaranteed to be unique in a multi-request.
>
> I think the only way to guarantee uniqueness is to assign unique 
> identifiers to each instance of an Attributes element with common 
> CategoryId in a given request and return these identifiers in the 
> response generated from the decision where the instance was used.
>
>     Thanks,
>     Rich
>
>
> Erik Rissanen wrote:
>> Hi Hal,
>>
>> The IncludeInResult returns also the attribute category, so what you
>> describe is not an issue. See the example below.
>>
>> Best regards,
>> Erik
>>
>>    2 
>>
>>
>> Hal Lockhart wrote:
>>   
>>> On the last call I agreed we should drop the idea of an XML Attribute called CorrelationId as a means to correlate requests and responses. The idea discussed on the call was to use the previously proposed scheme of marking selected XACML Attributes with the XML Attribute "IncludeInResponse", thus causing the PDP to echo back their values in the Response.
>>>
>>> I expressed concerned about the fact that, especially when specifying subjects, there might be no attribute present which uniquely identifies an entity. Eric suggested that if necessary the PEP could provide "synthetic" XACML Attributes which would not be referenced by policy, but could be used to perform correlation.
>>>
>>> After thinking about this further, I think there is still a problem.  Suppose we have two subjects Jack and Jill. Jill is a Doctor and Jack is a Nurse. Suppose we want to test access in 2 cases, with each as Access Subject (AS) and the other as Recipient Subject (RS) categories, holding Env, Resource and Action constant. In other words, the cases are:
>>>
>>> AS=Jack Role=Nurse
>>> RS=Jill Role=Doctor
>>> Env
>>> Res
>>> Act
>>>
>>> AS=Jill Role=Doctor
>>> RS=Jack Role=Nurse
>>> Env
>>> Res
>>> Act
>>>
>>> Obviously if we simply ask to have Role (Doctor or Nurse) returned, we will not be able to distinguish between the two cases above. However even if we add a synthetic attribute, such as Name (Jack or Jill), we still cannot distinguish the two cases. (since order has no significance) What is required is that the synthetic attribute values also reflect the subject category. (Or more generally the category, since XACML does not rule out the possibility that different categories may share the same attributes)
>>>
>>> So if we add a name Attribute to the 

As of today's meeting I believe we are down to deciding how to do correlation. The alternative previously proposed is to use the IncludeInResponse mechanism. This may involve submitting synthetic attributes, not referenced by policy, simply to correlate requests and decisions.

The new idea (at least to me) is to move my previously proposed XML Attribute - CorrelationID - to the 

Hi Hal,

I just realized that the CorrelationId will not work, and we need the 
IncludeInResult.

The existing 2.0 multiple resource profile defines a few more modes of 
multiple requests than multiple 

  


Hi Erik, Hal, and TC,


There have been a lot of emails on this issue so far, but I think we
are at the point where all the ambiguities and potential missing pieces
have been accounted for, so I will try to summarize where I think the
proposal currently stands.


First of all here are some reference emails that have examples that
show different aspects of the proposed solution:


  
example request with XPath (in Erik's most recent email (below))
which is purported to return multiple nodes (an example response would
be helpful to augment this:
  

    
http://lists.oasis-open.org/archives/xacml/200901/msg00053.html
  
  
example request with decision lists (Hal's most recent email)
(ignore the CorrelationId, because as Erik showed, it will not work w
XPath)
  

    
http://lists.oasis-open.org/archives/xacml/200901/msg00051.html
  
  
example request showing multiple <Attributes> elements
having same @Category and using "synthetic attribute" with
"...multiple-request:unique-id" (would be useful to have corresponding
response showing returned "disambiguated" <Attributes> elements
  

    
http://lists.oasis-open.org/archives/xacml/200901/msg00049.html
  
  
example response showing 5 distinct results, not using synthetic
attribute, but using "...resource:resource-id" for Result correlation.
(This shows the important concept that not only is the
<Attribute> with the @IncludeInResult returned, but also its
parent <Attributes> element with the @Category.)

  
  

    
http://lists.oasis-open.org/archives/xacml/200901/msg00045.html
  
  
original example request w DecisionList and w follow-up minor
correction
  

    
http://lists.oasis-open.org/archives/xacml/200901/msg00015.html
    
http://lists.oasis-open.org/archives/xacml/200901/msg00035.html
  

Based on the analysis that has been done, I have a few recommendations
that, at least to me, appear to be important enough to itemize as
suggestions for the specifications.


For the 3.0 Core spec:


  
It became inferentially apparent that a fundamental "rule" is
that a Request context that is processed by the PDP must have at most 1
<Attributes> element with a specific Category. I recommend that
this be explicitly stated in section 5.35 in the description of the
<Attributes> [One to Many] element. What is there now is not
unambiguous in this regard, and I recommend it be tightened up.
  
Similarly, I think explicit text should be in Section 5.37 for
the Category [Required] description. i.e. specify that while multiple
<Attributes> elements with the same Category are allowed in the
Request element, that for the purpose of making an authorization
decision, only one <Attributes> element per Category is allowed.
  
Section 5.39 under explanation of IncludeInResult [Default false]
I recommend that when included in Result the Attribute will be parented
by its <Attributes w @Category> element. Also if multiple
<Attribute> elements within one Category are tagged, then they
will share the parent.
  
Section 5.41 under explanation of <Attributes> element, I
recommend that it be explicitly stated that there will be one
<Attributes> element for each @Category in the Request that
contained an @IncludeInResult.

For the 3.0 Multi-Decision spec:



  
I recommend that at least for the multi-Attributes @Category
mechanism that a clear explanation be included that without
DecisionLists, that there is an inferential n-dimensional cross-product
applied, where n is the number of @Categories that  have multiple
<Attributes> elements within the Request. So, for example if
there are 3 Category attrs, say cat1, cat2, cat3 that occur in multiple
<Attributes> elements, for example let's say there are 4
<Attributes> elements w cat1, 4 with cat2, and 3 w cat3, then
there will inferentially be 4x4x3 = 48 individual Requests generated to
the PDP, each of which will have a Result element in the Response. It
would also be worth noting that if there are additional single element
Category attrs, say cat4, cat5, and cat6, that the <Attributes>
element for each of those Category attrs will be evaluated in all 48
decisions. i.e. all 48 decisions will be based on
cat1,cat2,cat3,cat4,cat5,cat6, where 4,5,6 remain constant thru the
process and 1,2,3 are incremented as if to visit every cell in a 4x4x3
3-dimensional matrix in this particular example.
  
I recommend that the DecisionLists mechanism be introduced as an
augmentation to the n-dimesional matrix in 1 above. i.e. given the 48
decisions above, I think that DecisionLists can be used to pare down
the list so that the full n-dimensional cross product does not get
evaluated. i.e. The DecisionLists would override the inferential
processing if they were present.
  

    
For example, if we really didn't want the 4x4 portion above but
were really interested in 2 2x2 portions, there could be 2
DecisionLists up front that contained the following elements:
    

      
cat11,cat12,cat21,cat22,cat31,cat32,cat33,cat4,cat5,cat6
      
cat33,cat34,cat43,cat44,cat31,cat32,cat33,cat4,cat5,cat6
    
    
Each of the above DecisionLists would produce 2x2x3 = 12
results for a total of 24 results.
    
i.e. the suggestion is that the presence of DecisionLists
simply override the inferential multiple effect of the
<Attributes> elements themselves and transfer the inferential
effect to the multiple category instances w same category to within
each list.
    
i.e. the presence of the DecisionLists would effectively say:
regard the actual <Attributes> elements as a pool of referencable
entities and process the request as if multiple Request elements had
come in with <Attributes> elements listed in the DecisionList,
and process inferentially on that basis. Everything would be returned
in a single response.
  
  
The only lingering "annoyance" is that the DecisionLists address
the <Attributes> elements by the xml:id, whereas within the
inferential processing we need to reference for correlation purposes
based on an internal IncludeInResult attribute. This is not a
show-stopper of any sort, but it does appear that there are 2
mechanisms effectively used to identify the same <Attributes>
element. A couple of considerations:
  

    
It would seem that xml:id for <Attributes> elements that
only had a single instance is more than is needed since one could
theoretically simply identify these single instance elements by
identifying their Category value.
    
It seems that what's needed for the DecisionLists that are
going to use multiple <Attributes> elements with the same
Category is something within the <Attributes> element that
distinguishes it from the other <Attributes> elements of the same
Category. This seems to be deja vu all over again (sic) wrt the
analysis that left us with the "synthetic attributes" as the ultimate
decider for those cases where nothing else would work

http://lists.oasis-open.org/archives/xacml/200901/msg00049.html
    
Therefore, I am tentatively suggesting that a usable
alternative to URI,xml:id might be @Category.value(index), where
"index" would be the value of a synthetic attribute within the
<Attributes @Category> element with
AttributeId="...multiple-request:unique-id".
  

I believe everything above, is essentially pretty much identifying what
has already been decided and putting it all in one place, at least wrt
3.0 Core spec, plus I think that comment 1 for multi-decision is simply
stating what has already been agreed, comment 2 is some clarification
on how DecisionLists could be viewed and used, and comment 3 admittedly
is something "new" to address what appears to me to be a lingering
"rough spot" in what has been decided so far.


Comments and suggestions are welcome.


    Thanks,

    Rich



Erik Rissanen wrote:
497988C9.3060000@axiomatics.com" type="cite">Hi
Hal,


I just realized that the CorrelationId will not work, and we need the
IncludeInResult.


The existing 2.0 multiple resource profile defines a few more modes of
multiple requests than multiple <Resource> elements. For
instance, it is possible to specify multiple request in the form of an
xpath expression on the <ResourceContent>, where each node the
xpath matches will generate an individual request. Like this for
instance:


  2 <Request

  3       xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"

  4       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

  5       xmlns:md="http://www.medico.com/schemas/record"

  6      
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"

  7      
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os

  8         access_control-xacml-2.0-context-schema-os.xsd">

  9     <Subject>

 10         <Attribute

 11              
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"

 12              
DataType="http://www.w3.org/2001/XMLSchema#string">

 13             <AttributeValue>Julius
Hibbert</AttributeValue>

 14         </Attribute>

 15     </Subject>

 16     <Resource>

 17         <ResourceContent>

 18                 <md:record>

 19                 <md:patient_info>

 20                     <md:name>Bart Simpson</md:name>

 21                     <md:age>60</md:age>

 22                     <md:sex>male</md:sex>

 23                    
<md:health_insurance>123456</md:health_insurance>

 24                 </md:patient_info>

 25                 <md:diagnosis_info>

 26                     <md:diagnosis>

 27                         <md:item type="primary">Gastric
Cancer</md:item>

 28                         <md:item type="secondary">Hyper
tension</md:item>

 29                     </md:diagnosis>

 30                     <md:pathological_diagnosis>

 31                         <md:diagnosis>

 32                             <md:item type="primary">Well
differentiated adeno carcinoma</md:item>

 33                         </md:diagnosis>

 34                         <md:date>2000-10-05</md:date>

 35                         <md:malignancy type="yes"/>

 36                     </md:pathological_diagnosis>

 37                 </md:diagnosis_info>              
 38             </md:record>

 39         </ResourceContent>

 40         <Attribute\r

 41              
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"

 42              
DataType="http://www.w3.org/2001/XMLSchema#string">

 43            
<AttributeValue>*[local-name()='Resource'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='ResourceContent'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='record'][namespace-uri()='http://www.medico.com/schemas/record']/*[local-name()='patient_info'][namespace-uri()='http://www.medico.com/schemas/record']/*[self::*[local-name()='name'][namespace-uri()='http://www.medico.com/schemas/record']
or
self::*[local-name()='age'][namespace-uri()='http://www.medico.com/schemas/record']]/descendant-or-self::node()</AttributeValue>

 44         </Attribute>

 45         <Attribute

 46              
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:scope"

 47              
DataType="http://www.w3.org/2001/XMLSchema#string">

 48            
<AttributeValue>XPath-expression</AttributeValue>

 49         </Attribute>

 50     </Resource>

 51     <Action>

 52         <Attribute

 53              
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"

 54              
DataType="http://www.w3.org/2001/XMLSchema#string">

 55             <AttributeValue>read</AttributeValue>

 56         </Attribute>

 57     </Action><Environment/></Request>


From this request there will be multiple results, but there is only one
<Resource> element. Each result will contain a specific
ResourceId XML attribute for correlation purposes.


In the corresponding 3.0 multiple request, it will be necessary to use
the IncludeInResult since there are not multiple Attribute elements,
which could be used for correlation, even if they had a CorrelationId.


So I think we should drop the CorrelationId proposal, and if necessary,
people will have to use a synthetic XACML attribute for correlation.


Best regards,

Erik



Hal Lockhart wrote:

  
As of today's meeting I believe we are down
to deciding how to do correlation. The alternative previously proposed
is to use the IncludeInResponse mechanism. This may involve submitting
synthetic attributes, not referenced by policy, simply to correlate
requests and decisions.


The new idea (at least to me) is to move my previously proposed XML
Attribute - CorrelationID - to the <Attributes> element instead
of having it in the <DecisionList> element.


This seems clearer to me, but others should express their opinions. The
new scheme would look something like this:


<Request>


  <DecisionLists>


    <DecisionList>


        <ListReference URI="Sub1"/>


        <ListReference URI="Env"/>


        <ListReference URI="Res1"/>


        <ListReference URI="Act1"/>



    </DecisionList>



    <DecisionList>


        <ListReference URI="Sub1"/>


        <ListReference URI="Sub2"/>


        <ListReference URI="Env"/>


        <ListReference URI="Res2"/>


        <ListReference URI="Act2"/>


    </DecisionList>



    <DecisionList>


        <ListReference URI="Sub3"/>


        <ListReference URI="Env"/>


        <ListReference URI="Res1"/>


        <ListReference URI="Act2"/>


    </DecisionList>



    <DecisionList ... >

    ...


    </DecisionList>



  </DecisionLists>



    <Attributes Category="Access_Subject" XML:Id="Sub1"
CorrelationId="FirstSubject">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


    <Attributes Category="Intemediary_Subject" XML:Id="Sub2"
CorrelationId="SecondSubject">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>



    <Attributes Category="Intemediary_Subject" XML:Id="Sub3"
CorrelationId="ThirdSubject">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


   <Attributes Category="Environment" XML:Id="Env">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


    <Attributes Category="Resource" XML:Id="Res1"
CorrelationId="FirstResource">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>



    <Attributes Category="Resource" XML:Id="Res2"
CorrelationId="Secondresource">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


    <Attributes Category="Action" XML:Id="Act1"
CorrelationId="FirstAction">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


    <Attributes Category="Action" XML:Id="Act2"
CorrelationId="SecondAction">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>



...



</Request>



Hal



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

  



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Rich and all,

This sounds good to me, except that I don't like the use of the 
synthetic id as the reference in the decision list. This forces all 
requests to contain synthetic ids, which I think are not needed in most 
cases, and is also more difficult to parse for a pre-processor since the 
id is more deeply nested.

Regards,
Erik

Rich.Levinson wrote:
> Hi Erik, Hal, and TC,
>
> There have been a lot of emails on this issue so far, but I think we 
> are at the point where all the ambiguities and potential missing 
> pieces have been accounted for, so I will try to summarize where I 
> think the proposal currently stands.
>
> First of all here are some reference emails that have examples that 
> show different aspects of the proposed solution:
>
>     * example request with XPath (in Erik's most recent email (below))
>       which is purported to return multiple nodes (an example response
>       would be helpful to augment this:
>           o http://lists.oasis-open.org/archives/xacml/200901/msg00053.html
>     * example request with decision lists (Hal's most recent email)
>       (ignore the CorrelationId, because as Erik showed, it will not
>       work w XPath)
>           o http://lists.oasis-open.org/archives/xacml/200901/msg00051.html
>     * example request showing multiple 

  


Hi Erik,


I see your point. How about if we constructed ListReference as follows:


  
Normal single element in category case:
  

    
<ListReference Category="cat1"/>
  
  
Multiple element in category case:
  

    
<ListReference Category="cat2">

    <Attribute AttributeId="xxx" Issuer="yyy" DataType="datatype">

        <AttributeValue>zzz</AttributeValue>

    </Attribute>

</ListReference>
  

With this approach typical case would be just match Category.
Multi-case would be match Category and contained Attribute w value.
Then Attr would only be synthetic in the extreme case as described in:

http://lists.oasis-open.org/archives/xacml/200901/msg00049.html


    Thanks,

    Rich




Erik Rissanen wrote:
497DBEC6.4050005@axiomatics.com" type="cite">Hi
Rich and all,


This sounds good to me, except that I don't like the use of the
synthetic id as the reference in the decision list. This forces all
requests to contain synthetic ids, which I think are not needed in most
cases, and is also more difficult to parse for a pre-processor since
the id is more deeply nested.


Regards,

Erik


Rich.Levinson wrote:

  
Hi Erik, Hal, and TC,


There have been a lot of emails on this issue so far, but I think we
are at the point where all the ambiguities and potential missing pieces
have been accounted for, so I will try to summarize where I think the
proposal currently stands.


First of all here are some reference emails that have examples that
show different aspects of the proposed solution:


    * example request with XPath (in Erik's most recent email (below))

      which is purported to return multiple nodes (an example response

      would be helpful to augment this:

          o
http://lists.oasis-open.org/archives/xacml/200901/msg00053.html

    * example request with decision lists (Hal's most recent email)

      (ignore the CorrelationId, because as Erik showed, it will not

      work w XPath)

          o
http://lists.oasis-open.org/archives/xacml/200901/msg00051.html

    * example request showing multiple <Attributes> elements
having

      same @Category and using "synthetic attribute" with

      "...multiple-request:unique-id" (would be useful to have

      corresponding response showing returned "disambiguated"

      <Attributes> elements

          o
http://lists.oasis-open.org/archives/xacml/200901/msg00049.html

    * example response showing 5 distinct results, not using synthetic

      attribute, but using "...resource:resource-id" for Result

      correlation. (This shows the important concept that not only is

      the <Attribute> with the @IncludeInResult returned, but
also its

      parent <Attributes> element with the @Category.)

          o
http://lists.oasis-open.org/archives/xacml/200901/msg00045.html

    * original example request w DecisionList and w follow-up minor

      correction

          o
http://lists.oasis-open.org/archives/xacml/200901/msg00015.html

          o
http://lists.oasis-open.org/archives/xacml/200901/msg00035.html


Based on the analysis that has been done, I have a few recommendations
that, at least to me, appear to be important enough to itemize as
suggestions for the specifications.


For the 3.0 Core spec:


   1. It became inferentially apparent that a fundamental "rule" is

      that a Request context that is processed by the PDP must have at

      most 1 <Attributes> element with a specific Category. I

      recommend that this be explicitly stated in section 5.35 in the

      description of the <Attributes> [One to Many] element. What
is

      there now is not unambiguous in this regard, and I recommend it

      be tightened up.

   2. Similarly, I think explicit text should be in Section 5.37 for

      the Category [Required] description. i.e. specify that while

      multiple <Attributes> elements with the same Category are

      allowed in the Request element, that for the purpose of making

      an authorization decision, only one <Attributes> element
per

      Category is allowed.

   3. Section 5.39 under explanation of IncludeInResult [Default

      false] I recommend that when included in Result the Attribute

      will be parented by its <Attributes w @Category> element.
Also

      if multiple <Attribute> elements within one Category are
tagged,

      then they will share the parent.

   4. Section 5.41 under explanation of <Attributes> element, I

      recommend that it be explicitly stated that there will be one

      <Attributes> element for each @Category in the Request that

      contained an @IncludeInResult.


For the 3.0 Multi-Decision spec:


   1. I recommend that at least for the multi-Attributes @Category

      mechanism that a clear explanation be included that without

      DecisionLists, that there is an inferential n-dimensional

      cross-product applied, where n is the number of @Categories

      that  have multiple <Attributes> elements within the
Request.

      So, for example if there are 3 Category attrs, say cat1, cat2,

      cat3 that occur in multiple <Attributes> elements, for
example

      let's say there are 4 <Attributes> elements w cat1, 4 with
cat2,

      and 3 w cat3, then there will inferentially be 4x4x3 = 48

      individual Requests generated to the PDP, each of which will

      have a Result element in the Response. It would also be worth

      noting that if there are additional single element Category

      attrs, say cat4, cat5, and cat6, that the <Attributes>
element

      for each of those Category attrs will be evaluated in all 48

      decisions. i.e. all 48 decisions will be based on

      cat1,cat2,cat3,cat4,cat5,cat6, where 4,5,6 remain constant thru

      the process and 1,2,3 are incremented as if to visit every cell

      in a 4x4x3 3-dimensional matrix in this particular example.

   2. I recommend that the DecisionLists mechanism be introduced as an

      augmentation to the n-dimesional matrix in 1 above. i.e. given

      the 48 decisions above, I think that DecisionLists can be used

      to pare down the list so that the full n-dimensional cross

      product does not get evaluated. i.e. The DecisionLists would

      override the inferential processing if they were present.

          * For example, if we really didn't want the 4x4 portion

            above but were really interested in 2 2x2 portions, there

            could be 2 DecisionLists up front that contained the

            following elements:

                o
cat11,cat12,cat21,cat22,cat31,cat32,cat33,cat4,cat5,cat6

                o
cat33,cat34,cat43,cat44,cat31,cat32,cat33,cat4,cat5,cat6

          * Each of the above DecisionLists would produce 2x2x3 = 12

            results for a total of 24 results.

          * i.e. the suggestion is that the presence of DecisionLists

            simply override the inferential multiple effect of the

            <Attributes> elements themselves and transfer the

            inferential effect to the multiple category instances w

            same category to within each list.

          * i.e. the presence of the DecisionLists would effectively

            say: regard the actual <Attributes> elements as a
pool of

            referencable entities and process the request as if

            multiple Request elements had come in with
<Attributes>

            elements listed in the DecisionList, and process

            inferentially on that basis. Everything would be returned

            in a single response.

   3. The only lingering "annoyance" is that the DecisionLists address

      the <Attributes> elements by the xml:id, whereas within the

      inferential processing we need to reference for correlation

      purposes based on an internal IncludeInResult attribute. This is

      not a show-stopper of any sort, but it does appear that there

      are 2 mechanisms effectively used to identify the same

      <Attributes> element. A couple of considerations:

          * It would seem that xml:id for <Attributes> elements
that

            only had a single instance is more than is needed since

            one could theoretically simply identify these single

            instance elements by identifying their Category value.

          * It seems that what's needed for the DecisionLists that are

            going to use multiple <Attributes> elements with the
same

            Category is something within the <Attributes> element
that

            distinguishes it from the other <Attributes> elements
of

            the same Category. This seems to be deja vu all over again

            (sic) wrt the analysis that left us with the "synthetic

            attributes" as the ultimate decider for those cases where

            nothing else would work

           
http://lists.oasis-open.org/archives/xacml/200901/msg00049.html

          * Therefore, I am tentatively suggesting that a usable

            alternative to URI,xml:id might be @Category.value(index),

            where "index" would be the value of a synthetic attribute

            within the <Attributes @Category> element with

            AttributeId="...multiple-request:unique-id".


I believe everything above, is essentially pretty much identifying what
has already been decided and putting it all in one place, at least wrt
3.0 Core spec, plus I think that comment 1 for multi-decision is simply
stating what has already been agreed, comment 2 is some clarification
on how DecisionLists could be viewed and used, and comment 3 admittedly
is something "new" to address what appears to me to be a lingering
"rough spot" in what has been decided so far.


Comments and suggestions are welcome.


    Thanks,

    Rich



Erik Rissanen wrote:
Hi Hal,


I just realized that the CorrelationId will not work, and we need the
IncludeInResult.


The existing 2.0 multiple resource profile defines a few more modes of
multiple requests than multiple <Resource> elements. For
instance, it is possible to specify multiple request in the form of an
xpath expression on the <ResourceContent>, where each node the
xpath matches will generate an individual request. Like this for
instance:


  2 <Request

  3       xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"

  4       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

  5       xmlns:md="http://www.medico.com/schemas/record"

  6      
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"

  7      
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os

  8         access_control-xacml-2.0-context-schema-os.xsd">

  9     <Subject>

 10         <Attribute

 11              
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"

 12              
DataType="http://www.w3.org/2001/XMLSchema#string">

 13             <AttributeValue>Julius
Hibbert</AttributeValue>

 14         </Attribute>

 15     </Subject>

 16     <Resource>

 17         <ResourceContent>

 18                 <md:record>

 19                 <md:patient_info>

 20                     <md:name>Bart Simpson</md:name>

 21                     <md:age>60</md:age>

 22                     <md:sex>male</md:sex>

 23                    
<md:health_insurance>123456</md:health_insurance>

 24                 </md:patient_info>

 25                 <md:diagnosis_info>

 26                     <md:diagnosis>

 27                         <md:item type="primary">Gastric
Cancer</md:item>

 28                         <md:item type="secondary">Hyper
tension</md:item>

 29                     </md:diagnosis>

 30                     <md:pathological_diagnosis>

 31                         <md:diagnosis>

 32                             <md:item type="primary">Well
differentiated adeno carcinoma</md:item>

 33                         </md:diagnosis>

 34                         <md:date>2000-10-05</md:date>

 35                         <md:malignancy type="yes"/>

 36                     </md:pathological_diagnosis>

 37                 </md:diagnosis_info>              
 38             </md:record>

 39         </ResourceContent>

 40         <Attribute\r

 41              
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"

 42              
DataType="http://www.w3.org/2001/XMLSchema#string">

 43            
<AttributeValue>*[local-name()='Resource'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='ResourceContent'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='record'][namespace-uri()='http://www.medico.com/schemas/record']/*[local-name()='patient_info'][namespace-uri()='http://www.medico.com/schemas/record']/*[self::*[local-name()='name'][namespace-uri()='http://www.medico.com/schemas/record']
or
self::*[local-name()='age'][namespace-uri()='http://www.medico.com/schemas/record']]/descendant-or-self::node()</AttributeValue>

 44         </Attribute>

 45         <Attribute

 46              
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:scope"

 47              
DataType="http://www.w3.org/2001/XMLSchema#string">

 48            
<AttributeValue>XPath-expression</AttributeValue>

 49         </Attribute>

 50     </Resource>

 51     <Action>

 52         <Attribute

 53              
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"

 54              
DataType="http://www.w3.org/2001/XMLSchema#string">

 55             <AttributeValue>read</AttributeValue>

 56         </Attribute>

 57     </Action><Environment/></Request>


From this request there will be multiple results, but there is only one
<Resource> element. Each result will contain a specific
ResourceId XML attribute for correlation purposes.


In the corresponding 3.0 multiple request, it will be necessary to use
the IncludeInResult since there are not multiple Attribute elements,
which could be used for correlation, even if they had a CorrelationId.


So I think we should drop the CorrelationId proposal, and if necessary,
people will have to use a synthetic XACML attribute for correlation.


Best regards,

Erik



Hal Lockhart wrote:
  
As of today's meeting I believe we are
down to deciding how to do correlation. The alternative previously
proposed is to use the IncludeInResponse mechanism. This may involve
submitting synthetic attributes, not referenced by policy, simply to
correlate requests and decisions.


The new idea (at least to me) is to move my previously proposed XML
Attribute - CorrelationID - to the <Attributes> element instead
of having it in the <DecisionList> element.


This seems clearer to me, but others should express their opinions. The
new scheme would look something like this:


<Request>


  <DecisionLists>


    <DecisionList>


        <ListReference URI="Sub1"/>


        <ListReference URI="Env"/>


        <ListReference URI="Res1"/>


        <ListReference URI="Act1"/>



    </DecisionList>



    <DecisionList>


        <ListReference URI="Sub1"/>


        <ListReference URI="Sub2"/>


        <ListReference URI="Env"/>


        <ListReference URI="Res2"/>


        <ListReference URI="Act2"/>


    </DecisionList>



    <DecisionList>


        <ListReference URI="Sub3"/>


        <ListReference URI="Env"/>


        <ListReference URI="Res1"/>


        <ListReference URI="Act2"/>


    </DecisionList>



    <DecisionList ... >

    ...


    </DecisionList>



  </DecisionLists>



    <Attributes Category="Access_Subject" XML:Id="Sub1"
CorrelationId="FirstSubject">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


    <Attributes Category="Intemediary_Subject" XML:Id="Sub2"
CorrelationId="SecondSubject">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>



    <Attributes Category="Intemediary_Subject" XML:Id="Sub3"
CorrelationId="ThirdSubject">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


   <Attributes Category="Environment" XML:Id="Env">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


    <Attributes Category="Resource" XML:Id="Res1"
CorrelationId="FirstResource">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>



    <Attributes Category="Resource" XML:Id="Res2"
CorrelationId="Secondresource">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


    <Attributes Category="Action" XML:Id="Act1"
CorrelationId="FirstAction">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>


    <Attributes Category="Action" XML:Id="Act2"
CorrelationId="SecondAction">


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


      <Attribute>

      ...

      </Attribute>


    </Attributes>



...



</Request>



Hal



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

  



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

  



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Rich,

I still think that a ID reference is simpler than digging up the 
datatype, attribute id and possibly issues, and going through all the 
attributes in the request section looking for nested elements containing 
matches for all two/three values.

Also it's more verbose, making it more difficult to read by humans (for 
debugging, development, audit, etc) and means less data to move around.

Regards,
erik

Rich.Levinson wrote:
> Hi Erik,
>
> I see your point. How about if we constructed ListReference as follows:
>
>    1. Normal single element in category case:
>           * 

Hi again Rich,

There is one more problem. Not all XACML data types have a defined 
equality function. So it wouldn't work in all cases.

Regards,
Erik

Erik Rissanen wrote:
> Hi Rich,
>
> I still think that a ID reference is simpler than digging up the 
> datatype, attribute id and possibly issues, and going through all the 
> attributes in the request section looking for nested elements 
> containing matches for all two/three values.
>
> Also it's more verbose, making it more difficult to read by humans 
> (for debugging, development, audit, etc) and means less data to move 
> around.
>
> Regards,
> erik
>
> Rich.Levinson wrote:
>> Hi Erik,
>>
>> I see your point. How about if we constructed ListReference as follows:
>>
>>    1. Normal single element in category case:
>>           * 

Hi Erik,

I am now a little confused. The only reason that Attribute gets added to 
DecisionList is to disambiguate multiple instances of the same Category. 
I thought you said in previous email that CorrelationId could not be 
used for this purpose and that we needed to use IncludeInResult:
http://lists.oasis-open.org/archives/xacml/200901/msg00053.html

    Thanks,
    Rich


Erik Rissanen wrote:
> Hi again Rich,
>
> There is one more problem. Not all XACML data types have a defined 
> equality function. So it wouldn't work in all cases.
>
> Regards,
> Erik
>
> Erik Rissanen wrote:
>> Hi Rich,
>>
>> I still think that a ID reference is simpler than digging up the 
>> datatype, attribute id and possibly issues, and going through all the 
>> attributes in the request section looking for nested elements 
>> containing matches for all two/three values.
>>
>> Also it's more verbose, making it more difficult to read by humans 
>> (for debugging, development, audit, etc) and means less data to move 
>> around.
>>
>> Regards,
>> erik
>>
>> Rich.Levinson wrote:
>>> Hi Erik,
>>>
>>> I see your point. How about if we constructed ListReference as follows:
>>>
>>>    1. Normal single element in category case:
>>>           *