Tim had asked me to ask Eve Maler what she thought about our idea of the XACML Request being a "notional" document, rather than a physical document. I see two "issues" from her response: 1. Should we rename XACML "Request" to "Query"? 2. Do we want to incur the cost of "data bindings" and "COM-based processing" to handle references to such a "notional" XML document? Anne ------- start of forwarded message ------- From: "Eve L. Maler" <
eve.maler@sun.com> To:
Anne.Anderson@sun.com Subject: Re: "notional" XML document Date: Thu, 18 Jul 2002 15:51:56 -0400 Hi Anne, A question before I try to answer yours: If the XACML Request element is sort of a SAML AuthorizationDecisionQuery, should it really be called a Query instead? SAML's query and request levels really do two different things; the request is the wrapper that has some housekeeping stuff and the query contains the "guts". Regarding the notion of notional documents :-): I'm having a little trouble picturing what's going on. I could see a policy being accessed in a virtual manner, but why would a request need to be accessed this way? But assuming that it does, there's often no problem in treating XML structures virtually rather than physically. Data bindings and DOM-based processing do this; they certainly don't physically walk an angle-bracket-laden flat file. The sort of problem you might have with this is dereferencing unique IDs for policies/requests/whatever; you just need to be sure that what you're accessing is persistent enough for your purposes. I still may be missing your point, though. If you think F2F conversation might help, perhaps we could get together tomorrow. (I'm working from home today.) What do you think? Eve Anne Anderson wrote: > XACML is defining an XML document, called the xacml:Request, that > will describe the access request being evaluated. This document > is similiar to a SAML AuthorizationDecisionQuery, but is designed > for XACML requirements and extensibility (it is easy to map a > SAML AuthorizationDecisionQuery into the XACML document, and > being able to do so was a strong requirement for us). > > We are treating this Request as a "notional" document, rather > than necessarily as a physical XML document. Tim Moses suggested > I ask you about your opinion on this. > > By "notional" document, I mean that an XACML policy can "refer" > to the information in the Request document that is not physically > in any single XML document. For example, my XACML policy can > refer to a "Role" attribute in the "Subjects" section of the > Request, and have that reference trigger a behind the scenes > query to an Attribute Authority to obtain the value of such an > attribute for the subject. The reference results in the value > for the attribute, if it was found by the AA, just as if the > value had been in a physical document somewhere. If no value > could be obtained, the reference results in a "null" value or > error, just as if the value were not in a physical document. > > Any comments? > > Anne -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 883 5917 XML Web Services / Industry Initiatives eve.maler @ sun.com ------- end of forwarded message ------- -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692