OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] New target schema

  • 1.  Re: [xacml] New target schema

    Posted 07-17-2002 11:30
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] New target schema


    
    Basically, I like your proposed schema fragment.
    
    1. What is the merit when we deal with "action" in a way that is identical
    to the other components of target (which syntax are you suggesting)?
    3. I need a "xpath-match" function that compares two xpath expressions. It
    is used in XML document access control use case. In the example below, a
    node set determined by a location path specified in the 'access' attribute
    in the request context has one or more items that is determined by
    "//phone" xpath expression (some match equality semantics). If the
    attribute specified in the request context is "/a/b/phone", then it matches
    to "//phone". Then it is applicable.
    
    <Rule>
      <Target>
         ...
        <Resource>
          <AttributeDesignator Match="xpath-match" DataType="xs:string"
    Designator="/Request/Resources/ResourceAttribute/AttributeMetaData[@Name
    ='access']/../AttributeValue"/>
          <Attribute>
            <Value DataType="xs:string">//phone</Value>
          </Attribute>
        </Resource>
          ...
      </Target>
    </Rule>
    
    5. Again, we need to define a support level for each function in terms of
    quick implementation.
    
    Michiharu
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
                                                                                                                                           
                          Tim Moses                                                                                                        
                          <tim.moses@entrus        To:       "'XACML'" <xacml@lists.oasis-open.org>                                        
                          t.com>                   cc:                                                                                     
                                                   Subject:  [xacml] New target schema                                                     
                          2002/07/16 04:11                                                                                                 
                          Please respond to                                                                                                
                          Tim Moses                                                                                                        
                                                                                                                                           
                                                                                                                                           
    
    
    
    Colleagues - What do people think of this? ...
    
    
    1. Treats "action" in a way that is identical to the other components of
    target.
    2. Doesn't have a reserved value to indicate 'all'.  The value of Attribute
    and the MatchFunction have to be chosen to indicate 'all', if that is what
    is desired.
    
    
    3. All the equality operators are included.  Perhaps some should not be
    allowed for the purposes of target.
    4. Function will extend the MatchFunction list.
    5. Do the function enumeration values have to be URIs.  A string like
    "numeric-equal" would be more succinct.  If we feel that function
    definitions would need a namespace qualifier, then we might as well leave
    the function name as a URI.
    
    
    6. String-match uses the regular expression syntax.
    
    
    Let me have your thoughts.
    
    
    All the best.  Tim.
    
    
    <xs:complexType name="TargetType">
            <xs:sequence>
                    <xs:element name="Subjects" type="xacml:MatchType"
    maxOccurs="unbounded"/>
                    <xs:element name="Resources" type="xacml:MatchType"
    maxOccurs="unbounded"/>
                    <xs:element name="Actions" type="xacml:MatchType" maxOccurs
    ="unbounded"/>
            </xs:sequence>
    </xs:complexType>
    <!-- -->
    <xs:complexType name="MatchType">
            <xs:sequence>
                    <xs:element ref="xacml:AttributeDesignator"/>
                    <xs:element ref="xacml:Attribute"/>
            </xs:sequence>
            <xs:attribute name="Match" type="xacml:MatchFunctionType"/>
    </xs:complexType>
    <!-- -->
    <xs:simpleType name="MatchFunctionType">
            <xs:restriction base="xs:anyURI">
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:numeric-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:boolean-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:string-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:date-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:time-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:datetime-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:yearMonthDuration-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:dayTimeDuration-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:gregorian-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:hex-binary-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:base64-binary-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:anyURI-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:QName-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:NOTATION-equal"/>
                    <xs:enumeration value
    ="urn:oasis:names:tc:XACML:0.15g:operator:string-match"/>
            </xs:restriction>
    </xs:simpleType>
    
    
    -----------------------------------------
    Tim Moses
    Tel: 613.270.3183
    
    
    
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC