OASIS eXtensible Access Control Markup Language (XACML) TC

2. [Anne] Handling of multiple decisions http://lists.oasis-open.org/archives/xacml/200207/msg00044.html [Michiharu response] http://lists.oasis-open.org/archives/xacml/200207/msg00049.html Treat like separate evaluation for each element in resource hierarchy? If treat together, how are effects combined? MUST a PDP provide separate evaluations if a hierachical resource is specified? CLOSED: As if separate evaluations are done. CLOSED: the response indicates which specific elements in a resource go with specific decisions. This allows either a single evaluation, partial list of evaluations, or full list of evaluations. Action could specify what is desired: e.g. "READ-ALL", "READ-EACH". This is application specific. 3. [Anne] Optional <Target> in Rule (since often same as Policy) http://lists.oasis-open.org/archives/xacml/200207/msg00011.html Options: a. Optional <Target> in Rule (already optional in 15g): semantics ::= "match" b. Define <Target> to be a choice 1. urn:oasis:...:anyTarget, or 2. <Subject>...</Subject>,<Resource>...</Resource>,... and use 1. for this case. c. Use <Subject>urn:oasis:...:any</Subject>, <Resource>urn:oasis:...:any</Resource> for this case. OPEN: Decide on 7/22/02. We forgot to address this on 7/15. 15. [Daniel] mapping "numeric" http://lists.oasis-open.org/archives/xacml/200207/msg00033.html http://lists.oasis-open.org/archives/xacml/200207/msg00052.html CLOSED: version 1 uses just positive and negative integer and decimal. 16. [Anne] Target matching: http://lists.oasis-open.org/archives/xacml/200207/msg00018.html [Michiharu response] http://lists.oasis-open.org/archives/xacml/200207/msg00032.html [Michiharu new response] http://lists.oasis-open.org/archives/xacml/200207/msg00050.html CLOSED: In a single AttributeDesignator in a Target element, at least one returned node must match the target value. If a Target element includes more than one AttributeDesignator, then each AttributeDesignator must have at least one returned node that matches its target value. OPEN: Michiharu will propose a subset of XPATH by 7/18/02. OPEN: Michiharu will provide examples of the "namespace" attribute by 7/18/02. OPEN: We will study Michiharu's new response and decide on its issues on 7/22/02. OPEN: Tim will attempt to define Target conditions as a restriction on our Function definitions in 15i. He hopes to have 15i ready on 7/16/02. 21. [Anne] {PolicySet Policy Rule}Designator issue http://lists.oasis-open.org/archives/xacml/200207/msg00045.html CLOSED: Designators are not intended to tell *how* to retrieve the specified PolicySet, Policy, or Rule, merely to identify *which* is to be retrieved by Id. The PolicySetDesignator and PolicyDesignator types do need to be a CHOICE rather than a SEQUENCE. OPEN: How about Assertion by reference? 22. [Daniel] Why Function has 1...inf of arguments? Couldn't it be without arguments? http://lists.oasis-open.org/archives/xacml/200207/msg00047.html CLOSED: Allow 0..inf arguments. This supports a function that returns the value of "pi", or a function that returns the time-of-day, for example. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692