The original draft proposal is
http://lists.oasis-open.org/archives/xacml/200304/msg00040.html
===================
Proposed XACML 1.1 Solution for Item F1:"Properties for new combining
algorithms"
Problem Description
===================
The current XACML language model allows policy writers to specify custom
rule/policy combining algorithms as one of the extension point (line 419
"Users of this specification may, if necessary, define their own combining
algorithms"). In some cases, those custom algorithms need additional
parameter(s) associated with each rule or policy. For example,
priority-based combining algorithm needs a priority number attached to each
rule, and hierarchy-based combining algorithm needs a hierarchy level
attached to each rule.
The current XACML schema has no space to specify such custom parameters in
rule/policy specifications. This proposal extends the current schema to
hold an optional <Property> element below <PolicySet>, <Policy>, <Rule>
elements just like another <Description> element which is used for
specifying textual information for human-users. The <Property> element is
intended for use by the machine (combining algorithm).
Proposal
========
1. Define new element <Property> in policy schema.
2. Change definition of <PolicySet>, <Policy>, and <Rule> elements to
optionally include <Property> element.
3. Import xacml:context schema to reuse <Attribute> definition in the
xacml:policy schema.
4. Change to specification
Proposed Solution
=================
1. Define new element <Property> in policy schema.
<xs:element name="Property" type="xacml:PropertyType"/>
<xs:complexType name="PropertyType">
<xs:sequence>
<xs:element ref="xacml-context:Attribute" minOccurs="1"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
- Property can include one or more attribute type-value pairs.
2. Change definition of <PolicySet>, <Policy>, and <Rule> elements to
optionally include <Property> element.
<xs:complexType name="PolicySetType">
<xs:sequence>
<xs:element ref="xacml:Description" minOccurs="0"/>
<xs:element ref="xacml:Property" minOccurs="0"/>
<xs:element ref="xacml:PolicySetDefaults" minOccurs="0"/>
<xs:element ref="xacml:Target"/>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element ref="xacml:PolicySet"/>
<xs:element ref="xacml:Policy"/>
<xs:element ref="xacml:PolicySetIdReference"/>
<xs:element ref="xacml:PolicyIdReference"/>
</xs:choice>
<xs:element ref="xacml:Obligations" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="PolicySetId" type="xs:anyURI" use="required"/>
<xs:attribute name="PolicyCombiningAlgId" type="xs:anyURI" use
="required"/>
</xs:complexType>
<xs:complexType name="PolicyType">
<xs:sequence>
<xs:element ref="xacml:Description" minOccurs="0"/>
<xs:element ref="xacml:Property" minOccurs="0"/>
<xs:element ref="xacml:PolicyDefaults" minOccurs="0"/>
<xs:element ref="xacml:Target"/>
<xs:element ref="xacml:Rule" minOccurs="0" maxOccurs
="unbounded"/>
<xs:element ref="xacml:Obligations" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="PolicyId" type="xs:anyURI" use="required"/>
<xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use
="required"/>
</xs:complexType>
<xs:complexType name="RuleType">
<xs:sequence>
<xs:element ref="xacml:Description" minOccurs="0"/>
<xs:element ref="xacml:Property" minOccurs="0"/>
<xs:element ref="xacml:Target" minOccurs="0"/>
<xs:element ref="xacml:Condition" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
<xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
</xs:complexType>
- Note that <Property> is inserted below every <Description> element.
3. Import xacml:context schema to reuse <Attribute> decifinition the
xacml:policy schema
<xs:import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation
="cs-xacml-schema-context-01.xsd"/>
4. Change to specification
Line 419: Users of this specification may, if necessary, define their own
combining algorithms. If their algorithms needs custom parameters on each
policy set, policy, and rule, the users can use optional <Property> element
to specify those parameters. If that is the case,
Line 1769: Add a new line
<xs:element ref="xacml-context:Property" minOccurs="0"/>
Line 1797: Add new lines
<Property> [Optional]
One or more attribute type-value pairs used by the custom policy set
combining algorithm.
Line 2075: Add a new line
<xs:element ref="xacml-context:Property" minOccurs="0"/>
Line 2096: Add new lines
<Property> [Optional]
One or more attribute type-value pairs used by the custom policy combining
algorithm.
Line 2136: Add a new line
<xs:element ref="xacml-context:Property" minOccurs="0"/>
Line 2150: Add new lines
<Property> [Optional]
One or more attribute type-value pairs used by the custom rule combining
algorithm.
Line 4590, 4647, 4694, 4752, 4802, 4840, and 4879: Add the following
sentence
If one or more attribute type-value pairs are specified in the <Property>
element, they SHALL be ignored.
Discussion
==========
- A sample policy specification is:
<Policy RuleCombiningAlgId="myCombiningAlgo">
<Rule>
<Property>
<Attribute AttributeId="MyRuleTypeAttribute" DataType="...String">
<AttributeValue>strong</AttributeValue>
</Attribute>
</Property>
<Target>...
<Condition>...
</Rule>
<Rule>
<Property>
<Attribute AttributeId="MyRuleTypeAttribute" DataType="...String">
<AttributeValue>weak</AttributeValue>
</Attribute>
</Property>
<Target>...
<Condition>...
</Rule>
</Policy>
In this example, a custom combining algorithm called "myCombiningAlgo" uses
a rule type attribute "strong" or "weak" attached to each rule when it
evaluates the policy.
- For backward compatibility purpose, <Property> SHALL be ignored when it
is specified with the standard combining algorithm.
Michiharu Kudo