OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] [CR] Do not include functions,depending on sequence

  • 1.  [xacml] [CR] Do not include functions,depending on sequence

    Posted 08-24-2002 08:39
    Proposal: Exclude <type>-first, <type>-rest, <type>-sequence-equal functions from the core set. Possibly leave them as non-mandatory functions. Add <type>-set-equal function with semantics of unordered set equality. and <type>-subset functions ( second one is already in the latest version of the appendix.) Leave <type>-first-and-only sequence to singleton conversion function. Reasoning: XACML data model specification - PIP and virtual context - does not guarantee any order for attributes, occuring multiple times in the context - not even within the same rule at evaluation instance - nor to be immutable in time. For example: if writing a rule that restricts access to a resource, unless its ID is "member-of" one of the "resourcesID" attribute, PIP may retrieve the sequence from an external source, such as relational database, directory or from XML document(s). It is to be expected that the order of the sequence of such attributes is not specified, and no sorting cretiria can be universally defined, and no guarantee that the next retrieval will preserve the order is given. It is not, and can not be, reliably specified what is the persistence model of such ordered sequence of values, once it is retrieved and whether is not permutable. Thus, any rule written with reliance on the order in the sequence, may produce inconsistent results for the same logical state of the context, for different evaluations, and even for the same evaluation, if done in parallel. This I consider the worst possible behavior for such a system. Other reasoning: There is no use case for type-rest() function suggested. As an example - try to write a condition returning true if every element in an arbitrary sequence of numbers is greater then 3. (my solution is to define an extension function performing such comparison - when it is needed)