OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Proposed XACML 1.1 Solution for Item F1:Properties for newcombining algorithms

  • 1.  [xacml] Proposed XACML 1.1 Solution for Item F1:Properties for newcombining algorithms

    Posted 05-08-2003 04:09
    The original draft proposal is
    http://lists.oasis-open.org/archives/xacml/200304/msg00040.html
    
    ===================
    Proposed XACML 1.1 Solution for Item F1:"Properties for new combining
    algorithms"
    
    Problem Description
    ===================
    
    The current XACML language model allows policy writers to specify custom
    rule/policy combining algorithms as one of the extension point (line 419
    "Users of this specification may, if necessary, define their own combining
    algorithms"). In some cases, those custom algorithms need additional
    parameter(s) associated with each rule or policy. For example,
    priority-based combining algorithm needs a priority number attached to each
    rule, and hierarchy-based combining algorithm needs a hierarchy level
    attached to each rule.
    
    The current XACML schema has no space to specify such custom parameters in
    rule/policy specifications. This proposal extends the current schema to
    hold an optional <Property> element below <PolicySet>, <Policy>, <Rule>
    elements just like another <Description> element which is used for
    specifying textual information for human-users. The <Property> element is
    intended for use by the machine (combining algorithm).
    
    Proposal
    ========
    
    1. Define new element <Property> in policy schema.
    2. Change definition of <PolicySet>, <Policy>, and <Rule> elements to
    optionally include <Property> element.
    3. Import xacml:context schema to reuse <Attribute> definition in the
    xacml:policy schema.
    4. Change to specification
    
    Proposed Solution
    =================
    
    1. Define new element <Property> in policy schema.
    
    <xs:element name="Property" type="xacml:PropertyType"/>
    <xs:complexType name="PropertyType">
          <xs:sequence>
                <xs:element ref="xacml-context:Attribute" minOccurs="1"
    maxOccurs="unbounded"/>
          </xs:sequence>
    </xs:complexType>
    
    - Property can include one or more attribute type-value pairs.
    
    2. Change definition of <PolicySet>, <Policy>, and <Rule> elements to
    optionally include <Property> element.
    
    <xs:complexType name="PolicySetType">
          <xs:sequence>
                <xs:element ref="xacml:Description" minOccurs="0"/>
                <xs:element ref="xacml:Property" minOccurs="0"/>
                <xs:element ref="xacml:PolicySetDefaults" minOccurs="0"/>
                <xs:element ref="xacml:Target"/>
                <xs:choice minOccurs="0" maxOccurs="unbounded">
                      <xs:element ref="xacml:PolicySet"/>
                      <xs:element ref="xacml:Policy"/>
                      <xs:element ref="xacml:PolicySetIdReference"/>
                      <xs:element ref="xacml:PolicyIdReference"/>
                </xs:choice>
                <xs:element ref="xacml:Obligations" minOccurs="0"/>
          </xs:sequence>
          <xs:attribute name="PolicySetId" type="xs:anyURI" use="required"/>
          <xs:attribute name="PolicyCombiningAlgId" type="xs:anyURI" use
    ="required"/>
    </xs:complexType>
    
    <xs:complexType name="PolicyType">
          <xs:sequence>
                <xs:element ref="xacml:Description" minOccurs="0"/>
                <xs:element ref="xacml:Property" minOccurs="0"/>
                <xs:element ref="xacml:PolicyDefaults" minOccurs="0"/>
                <xs:element ref="xacml:Target"/>
                <xs:element ref="xacml:Rule" minOccurs="0" maxOccurs
    ="unbounded"/>
                <xs:element ref="xacml:Obligations" minOccurs="0"/>
          </xs:sequence>
          <xs:attribute name="PolicyId" type="xs:anyURI" use="required"/>
          <xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use
    ="required"/>
    </xs:complexType>
    
    <xs:complexType name="RuleType">
          <xs:sequence>
                <xs:element ref="xacml:Description" minOccurs="0"/>
                <xs:element ref="xacml:Property" minOccurs="0"/>
                <xs:element ref="xacml:Target" minOccurs="0"/>
                <xs:element ref="xacml:Condition" minOccurs="0"/>
          </xs:sequence>
          <xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
          <xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
    </xs:complexType>
    
    - Note that <Property> is inserted below every <Description> element.
    
    3. Import xacml:context schema to reuse <Attribute> decifinition the
    xacml:policy schema
    
    <xs:import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation
    ="cs-xacml-schema-context-01.xsd"/>
    
    
    4. Change to specification
    
    Line 419: Users of this specification may, if necessary, define their own
    combining algorithms. If their algorithms needs custom parameters on each
    policy set, policy, and rule, the users can use optional <Property> element
    to specify those parameters. If that is the case,
    
    Line 1769: Add a new line
    <xs:element ref="xacml-context:Property" minOccurs="0"/>
    
    Line 1797: Add new lines
    <Property> [Optional]
    One or more attribute type-value pairs used by the custom policy set
    combining algorithm.
    
    Line 2075: Add a new line
    <xs:element ref="xacml-context:Property" minOccurs="0"/>
    
    Line 2096: Add new lines
    <Property> [Optional]
    One or more attribute type-value pairs used by the custom policy combining
    algorithm.
    
    Line 2136: Add a new line
    <xs:element ref="xacml-context:Property" minOccurs="0"/>
    
    Line 2150: Add new lines
    <Property> [Optional]
    One or more attribute type-value pairs used by the custom rule combining
    algorithm.
    
    Line 4590, 4647, 4694, 4752, 4802, 4840, and 4879: Add the following
    sentence
    If one or more attribute type-value pairs are specified in the <Property>
    element, they SHALL be ignored.
    
    
    Discussion
    ==========
    
    - A sample policy specification is:
    
    <Policy RuleCombiningAlgId="myCombiningAlgo">
      <Rule>
        <Property>
          <Attribute AttributeId="MyRuleTypeAttribute" DataType="...String">
            <AttributeValue>strong</AttributeValue>
          </Attribute>
        </Property>
        <Target>...
        <Condition>...
      </Rule>
      <Rule>
        <Property>
          <Attribute AttributeId="MyRuleTypeAttribute" DataType="...String">
            <AttributeValue>weak</AttributeValue>
          </Attribute>
        </Property>
        <Target>...
        <Condition>...
      </Rule>
    </Policy>
    
    In this example, a custom combining algorithm called "myCombiningAlgo" uses
    a rule type attribute "strong" or "weak" attached to each rule when it
    evaluates the policy.
    
    - For backward compatibility purpose, <Property> SHALL be ignored when it
    is specified with the standard combining algorithm.
    
    Michiharu Kudo