OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] request and response context schema

  • 1.  Re: [xacml] request and response context schema

    Posted 05-16-2002 09:25
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] request and response context schema


    Title: RE: [xacml] request and response context schema
    Hi Carlisle,
     
    1) In AttributeDesignator, should Issuer be a string or an anyURI?  You currently have it as an anyURI but I wonder if string would be a better choice (note that it is a string in the SAML Assertion).
     
    Issuer can be a string, although I prefer uri.
     
    2) In ResourceSpecifier, I would suggest changing "ResourceURI" to something like "ResourceLocator", since this more clearly says what it is for.  Also, I would add another attribute called "ResourceName" (of type anyURI).
     
    Could you please explain more what ResourceLocator will be used for?
     
    3) It is not clear to me why DecisionType has been defined.  It seems to me that in many cases it will not give sufficient information (in particular, "Permit Read FileX" is not an appropriate answer if the question is "can Joe Read FileX?").
     
    Do you think 'subject' should be included as well in 'decision-type'? I was thinking that subject could be matched
    from the input context, but it also could be included in the output context.
     
    4) If DecisionType is kept, Action should be of type string (not anyURI), and I would recommend adding the element AbstractPrincipal (to address my concern in (3)).  All three pieces of information (i.e., ResourceName, Action, and AbstractPrincipal) should be optional.
     
    I agree that we could extend decision-type with principal information (see above).
    Why do you think action should be made into a string? If it is a string we need additional attributes on the <action>
    element to classify it.
     
    Simon
     


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC