Maybe it is more consistent to introduce a data type: xpath_expression ? And also: That should be handled as an extension for the standard, IMO. Any implementation will have such needs (I need SQL expressions, and enumerations, and so on..) We should not put too much stuff into the base standard and make it too hard to implement a minimal complying applications. And probably return to discussion on whether we should make declaration schema earlier then later - it is obvious many implementations will need various extensions right away. BTW - what will be a logical way to make the restriction on comparator functions used in context extensible? Can it be restricted to any function with two arguments that returns a boolean (it would be a runtime error, if the datatypes can not be legally (as declared) converted to the needed datatypes.. Daniel 3. I need a xpath-match function that compares two xpath expressions. It is used in XML document access control use case. In the example below, a node set determined by a location path specified in the 'access' attribute in the request context has one or more items that is determined by //phone xpath expression (some match equality semantics). If the attribute specified in the request context is /a/b/phone , then it matches to //phone . Then it is applicable. <Rule> <Target> ... <Resource> <AttributeDesignator Match= xpath-match DataType= xs:string Designator= /Request/Resources/ResourceAttribute/AttributeMetaData[@Name ='access']/../AttributeValue /> <Attribute> <Value DataType= xs:string >//phone</Value> </Attribute> </Resource> ... </Target> </Rule> 5. Again, we need to define a support level for each function in terms of quick implementation. Michiharu IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 Tim Moses <tim.moses@entrus To: 'XACML' <
xacml@lists.oasis-open.org> t.com> cc: Subject: [xacml] New target schema 2002/07/16 04:11 Please respond to Tim Moses Colleagues - What do people think of this? ... 1. Treats action in a way that is identical to the other components of target. 2. Doesn't have a reserved value to indicate 'all'. The value of Attribute and the MatchFunction have to be chosen to indicate 'all', if that is what is desired. 3. All the equality operators are included. Perhaps some should not be allowed for the purposes of target. 4. Function will extend the MatchFunction list. 5. Do the function enumeration values have to be URIs. A string like numeric-equal would be more succinct. If we feel that function definitions would need a namespace qualifier, then we might as well leave the function name as a URI. 6. String-match uses the regular expression syntax. Let me have your thoughts. All the best. Tim. <xs:complexType name= TargetType > <xs:sequence> <xs:element name= Subjects type= xacml:MatchType maxOccurs= unbounded /> <xs:element name= Resources type= xacml:MatchType maxOccurs= unbounded /> <xs:element name= Actions type= xacml:MatchType maxOccurs = unbounded /> </xs:sequence> </xs:complexType> <!-- --> <xs:complexType name= MatchType > <xs:sequence> <xs:element ref= xacml:AttributeDesignator /> <xs:element ref= xacml:Attribute /> </xs:sequence> <xs:attribute name= Match type= xacml:MatchFunctionType /> </xs:complexType> <!-- --> <xs:simpleType name= MatchFunctionType > <xs:restriction base= xs:anyURI > <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:numeric-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:boolean-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:string-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:date-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:time-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:datetime-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:yearMonthDuration-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:dayTimeDuration-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:gregorian-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:hex-binary-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:base64-binary-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:anyURI-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:QName-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:NOTATION-equal /> <xs:enumeration value = urn:oasis:names:tc:XACML:0.15g:operator:string-match /> </xs:restriction> </xs:simpleType> ----------------------------------------- Tim Moses Tel: 613.270.3183 ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <
http://lists.oasis-open.org/ob/adm.pl >