OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Proposed Agenda - 31 Aug 2006 TC meeting

    Posted 08-30-2006 15:20
    Proposed Agenda - 31 Aug 2006 TC meeting
    
    Time: 10:00 am EDT
    Tel: 512-225-3050 Access Code: 65998
    
    Proposed Agenda:
    
    10:00 - 10:05 Roll Call, Agenda Review
    
    10:05 - 10:10 Approval of minutes from last two calls
    
    Minutes from 3 August 2006 TC Meeting
    http://www.oasis-open.org/archives/xacml/200608/msg00003.html
    
    Minutes from 17 August 2006 TC Meeting
    http://www.oasis-open.org/archives/xacml/200608/msg00004.html
    
    10:10 - 10:20 Announcements 
    
    New TC Process Changes - N.B. Errata Process
    
    Registration of XACML with ET.gov - status update
    
    Status of XACML in ITU/T
    
    10:20 - 10:30 New proposal - Pagination support for policy query and
    assertion
    http://www.oasis-open.org/archives/xacml/200608/msg00006.html
    
    10:30 - 11:00 Discussion of other Issues
    
    Hal
    
    
    
    
    
    
    
    


  • 2.  Attribute categories.

    Posted 08-31-2006 07:59

    Attachment(s)

    pdf
    Request.pdf   100 KB 1 version
    pdf
    MissingAttribute.pdf   93 KB 1 version
    pdf
    Target.pdf   106 KB 1 version


  • 3.  Re: [xacml] Attribute categories.

    Posted 10-04-2006 14:37
    All,
    
    I just noticed that, if I understand this correctly, it not possible to
    write a disjunction in the target with the new attribute categories
    schema. In XACML 2.0 you can write:
    
    
    
    and a request with either subject A or B would match.
    
    In the new attribute categories schema the Match appears directly below
    Target:
    
    
    
    so it is no longer possible to write a disjunction. Did I understand it
    correctly?
    
    Regards,
    Erik
    
    Daniel Engovatov wrote:
    > Attached is a version of the request and policy schemas implementing
    > extensible attribute categories proposal, as we discussed it.
    > I also attached some rendering of the changed schema type.
    > Could this be uploaded somewhere, so that I can link it from wiki and
    > write descriptions for all the changes?
    >
    > Daniel;
    >
    >   
    
    
    


  • 4.  Re: [xacml] Attribute categories.

    Posted 10-04-2006 14:42
    I think this is a mistake in the new attribute categories schema.  There 
    should be an element corresponding to 


  • 5.  RE: [xacml] Attribute categories.

    Posted 10-04-2006 17:42
    Doh! (...I guess I did not like the existing multiple subject design so
    much that I subconsciously omitted it :) )
    
    We should add this, but it should be made in some abstract form, for
    example by adding a disjunctive match grouping.  (We can pick up a nice
    name for that element - suggestions?)
    How about something like:
    
    
    With semantics that anything inside the DisjunctiveMatch  is ORed, and
    the rest is AND.  There is no need to restrict this only to the former
    subject categories.
    That will allow to map existing subject matches into the new schema.
    
    Daniel;
    
    


  • 6.  Re: [xacml] Attribute categories.

    Posted 10-04-2006 19:20
    Hi Daniel,
    
    I did not mean to imply that we would still have 


  • 7.  RE: [xacml] Attribute categories.

    Posted 10-04-2006 20:18
    I am not sure about limiting DisjunctiveMatch to a single category:
    Subjects will be in different categories, and there is no strong reason
    to limit this.  We will be basically adding some basic Boolean logic to
    match combinations - we could actually make it fully generic and add
    nesting 


  • 8.  Re: [xacml] Attribute categories.

    Posted 10-16-2006 14:56
    Daniel, Anne, All,
    
    My colleague Ludwig Seitz has tried out the new attribute categories and
    he agrees with Daniel on the quoted discussion. Here is his explanation
    of his opinion in his own words:
    
    I think Daniel is right about not limiting DisjunctiveMatch to a single
    category. I have a nice example where it won't work:
    
    Imagine you want to collect all policies for a resource 'foo' in one
    PolicySet.
    In the old XACML 3.0 (somewhate simplified notation) you could do
    something 
    like this:
    
    
    
    With Anne's proposal this would translate to something like this:
    
    
       
    
    With the new Delegation model, administrative requests will look 
    like this for the 'foo' resource:
    
    
       
       
        .
        .
        .
    
    
    
    I think the above construct is quite common and I would therefore
    support
    Daniel's suggestion not to limit DisjunctiveMatch to a single category.
    
    
    Daniel Engovatov wrote:
    
    >I am not sure about limiting DisjunctiveMatch to a single category:
    >Subjects will be in different categories, and there is no strong reason
    >to limit this.  We will be basically adding some basic Boolean logic to
    >match combinations - we could actually make it fully generic and add
    >nesting