OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Ruleelement

  • 1.  Re: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Ruleelement

    Posted 05-07-2003 07:28
    
    Yes.
    
    Michiharu
    
    
    
                                                                                                                                                        
                          bill parducci                                                                                                                 
                          <bill.parducci@ov        To:       XACML TC <xacml@lists.oasis-open.org>                                                      
                          erxeer.com>              cc:                                                                                                  
                                                   Subject:  Re: [xacml] Proposed XACML 1.1 Solution: Item G: Obligations in Rule element               
                          2003/05/02 23:15                                                                                                              
                                                                                                                                                        
                                                                                                                                                        
    
    
    
    with this proposal i assume that the 'combining' mechanism will not
    change from the current spec: it will be an implicit AND for all
    returned obligations (the PEP will have to sort it out). is this correct?
    
    b
    
    Michiharu Kudoh wrote:
    > Proposed XACML 1.1 Solution for Obligations in Rule element
    >
    > Problem Description
    > ===================
    >
    > XACML 1.0 allows a PolicySet and Policy to include Obligations
    > element but does not allow a Rule to include it.
    > Allowing Obligations element to Rules could make Policies shorter,
    > particularly when each Rule has the identical target description
    > but different condition expression. In more detail, please refer to
    > http://lists.oasis-open.org/archives/xacml/200303/msg00006.html
    >
    > Proposal
    > ========
    >
    > Allow XACML <Rule> elements to contains <Obligations> element.
    > There is no need to define new schema or new schema type.
    >
    > <xs:element name="Rule" type="xacml:RuleType"/>
    > <xs:complexType name="RuleType">
    >       <xs:sequence>
    >             <xs:element ref="xacml:Description" minOccurs="0"/>
    >             <xs:element ref="xacml:Target" minOccurs="0"/>
    >             <xs:element ref="xacml:Condition" minOccurs="0"/>
    >             <xs:element ref="xacml:Obligations" minOccurs="0"/>
    >       </xs:sequence>
    >       <xs:attribute name="RuleId" type="xs:anyURI" use="required"/>
    >       <xs:attribute name="Effect" type="xacml:EffectType" use
    ="required"/>
    > </xs:complexType>
    >
    >
    > Discussion
    > ==========
    >
    > XACML TC decided not to have obligations in rule element to avoid
    > any extra complexity in the specification. Actually, allowing
    > Obligations element in Rule does NOT generate more complexity.
    > Moreover, there is no need to change the semantics. So, allowing
    > obligations in rule element still keeps the spec the same complexity.
    >
    > The description of Section 7.11 only needs minimum
    > modification such that text changes from "PolicySet and Policy may
    > contain one or more obligations" to "PolicySet, Policy and Rule may
    > contain one or more obligations".
    >
    > The description of combining algorithm needs a minimum addition
    > like just inserting one line text "Obligations of the individual
    > rules shall be combined as described in Section 7.11." before
    > line 4637.
    >
    > Since the Obligations element is optional, this extension
    > affects only implementations that supports obligations specified
    > in the current XACML specification.
    >
    > There had been some discussion about insufficient description
    > of the *-combining algorithm, but this extension is orthogonal
    > to that argument.
    >
    >