In draft-xacml-schema-core-14b.xsd, the Target elements Subjects and Resources are defined as follows: <xs:complexType name="SubjectsType"> <xs:sequence maxOccurs="unbounded"> <xs:element ref="xacml:Attribute"/> </xs:sequence> </xs:complexType> <!-- --> <xs:complexType name="ResourcesType"> <xs:sequence maxOccurs="unbounded"> <xs:element ref="xacml:Attribute"/> </xs:sequence> </xs:complexType> Presumably, the idea was that the Target "applied" if an attribute that matched the specified Attribute elements existed in the request. Problems: 1. This does not provide a way to match on SubjectId or KeyInfo. 2. Are the semantics a requirement that the match occur on ALL attributes or on ANY attribute? 3. What does "match" mean? Is it implicitly our "xacml:equals", where the AttributeValue must be one of the types "xacml:equals" is defined as applying to? I don't feel particularly strongly about exactly how we resolve these, but I think they must be resolved. Recommendations: 1. Change the element definition from "xacml:Attribute" to a combination of a pointer into the Request and a value that the element at that pointer must match. something like the following: <xs:complexType name="SubjectsType"> <xs:sequence maxOccurs="unbounded"> <xs:element name="RequiredAttributeMatch" type="xacml:RequiredAttributeMatchType"/> </xs:sequence> </xs:complexType> <xs:complexType name="RequiredAttributeMatchType"> <xs:sequence> <xs:element name="RequiredMatchingValue" type="anyURI"/> </xs:sequence> <xs:attribute name="RequestValue" type="xs:string" use="required"/> <!-- where string is an XPATH location path into the Request --> </xs:complexType> Example: to say a rule applies to an AccessSubject that has an RFC822Name SubjectID of "*
.Simpson@Simpsons.com" AND at least one subject has an Attribute with name "role" and value "SystemAdministrator": <Target> <Subjects> <RequiredAttributeMatch RequestValue="/Request/Subject [@SubjectCategory="urn:...AccessSubject"] /SubjectId[@Format="urn:...:RFC822Name"]"> <RequiredMatchingValue> "*
.Simpson@Simpsons.COM" </RequiredMatchingValue> </RequiredAttributeMatch> <RequiredAttributeMatch RequestValue="/Request/Subject /Attribute/AttributeMetaData[@AttributeName="role"] /AttributeValue"> <RequiredMatchingValue> "SystemAdministrator" </RequiredMatchingValue> </Subjects> .... </Target> 2. Specify that ALL attributes within Subjects must match and ALL attributes within Resources must match. I suggest this by the name "RequiredAttributeMatch". 3. Specify that the matching operation is "xacml:equals", and that the types of the value pointed to by the AttributeSelector and the specified AttributeValue itself must match and must be among the types supported by the definition of "xacml:equals". We could omit the RequiredMatchingValue and simply use XPATH to specify the required element and its value. But then we would be limited to exact string matches on request element values, and we also could not use regular expression matching on strings (which I assume xacml:equals will support). Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692