Making the Core Syntax Agnostic #38
Replies: 3 comments 8 replies
-
I did a few changes:
A few other suggestions:
|
Beta Was this translation helpful? Give feedback.
-
@cdanger, since you dived in to make improvements can I assume that you think this approach to presenting the structures in the XACML core is a good way forward? |
Beta Was this translation helpful? Give feedback.
-
JADN is heading in the right direction but it has some limitations. It doesn't define a mapping to XML Schema. It doesn't have a concept of derived structured types so even if it had an XSD mapping that mapping would be quite different to our current XSD. I might be wrong but JADN does not seem to allow recursive nesting, so we could not have policies nested in policies in any mapping. |
Beta Was this translation helpful? Give feedback.
-
This is a test case for rewriting the core specification to be syntax agnostic. I chose the policy description because it is non-trivial. As I was finishing this up DMLex was published, which also aims to be syntax agnostic and went a similar way. Here it is for comparison:
https://docs.oasis-open.org/lexidma/dmlex/v1.0/csd04/dmlex-v1.0-csd04.html#idm218
A preamble is required to describe the abstract model in the absence of a preferred schema language. It would naturally fit into the start of Section 5. It was necessary to invent a
Parts
property for the JSON representation to correspond to the<xs:choice minOccurs="0" maxOccurs="unbounded">
particle in the XML Schema.5 Structures
The structures in XACML are described here in abstract terms. The concrete representations of these structures are defined for a variety of syntaxes each in a separate profile.
Object type
The XACML structures are objects that each conform to a specific object type. Objects of the same kind conform to a specific, named object type, which describes a set of properties that an object of the type is permitted to have and for each property whether it is required or optional.
A property has a unique name (unique among the object's properties) and a value, where the value conforms to a specific type, either a simple type, an object type, or a sequence of such values.
Simple types
The simple types are:
String
: A sequence of characters that may be constrained to a particular pattern.URI
: A sequence of characters representing a Uniform Resource Identifier according to RFC 3986.Boolean
: Either true or false.Integer
: An integer number that may be constrained to a particular range.Examples of concrete representations
In the JSON representation, an object maps to a JSON object and a property of that object maps to a JSON member (a name/value pair). An object type is formally defined by a JSON subschema.
In the XML representation, a property corresponds to an element or XML attribute, an object corresponds to element content and an object type is formally defined by an XML Schema complex type.
5.1 Policy
The value of a
Policy
property is an object of thePolicyType
object type, which describes a policy.A policy is an aggregation of rules and other policies. Policies MAY be included in an enclosing
PolicyType
object either directly using thePolicy
property or indirectly using thePolicyReference
property. If the values ofPolicyReference
properties are in the form of URLs, then these references MAY be resolvable.A
Policy
property may be evaluated, in which case the evaluation procedure defined in [Section 7.12] SHALL be used.A
PolicyType
object contains the following properties:PolicyId
[Required]URI
identifying the policy. It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier. This MAY be achieved by following a predefined URN or URI scheme. If the policy identifier is in the form of a URL, then it MAY be resolvable.Version
[Required]String
value indicating the version number of the policy. The value must match the SemVer pattern.CombiningAlgId
[Required]URI
value identifying the combining algorithm by which thePolicy
,Rule
,CombinerParameters
,PolicyCombinerParameters
andRuleCombinerParameters
properties MUST be combined. Standard combining algorithms are listed in [Appendix G]. Standard combining algorithm identifiers are listed in [Appendix F.9].MaxDelegationDepth
[Optional]Integer
. Description: If present, limits the depth of delegation which is authorized by this policy. See the delegation profile [XACMLAdmin].Description
[Optional]String
. Description: A free-form description of the policy.PolicyIssuer
[Optional]PolicyIssuer
property is explained in the separate administrative policy profile [XACMLAdmin].PolicyDefaults
[Optional]PolicyDefaults
property SHALL be the enclosingPolicyType
object.Target
[Optional]Type:
Object
. Description: TheTarget
property defines the applicability of a policy to a set of decision requests. If theTarget
property matches the request context, then thePolicyType
object MAY be used by the PDP in making its authorization decision. See [Section 7.12].The
Target
property MAY be declared by the creator of thePolicyType
object or it MAY be computed from theTarget
properties of the referencedPolicy
properties theCondition
properties of the referencedRule
properties, either as an conjunction or as a disjunction.ObligationExpressions
[Optional]AdviceExpressions
[Optional]Parts
[Optional]PolicyPartType
objects.Each
PolicyPartType
object contains exactly one of the following properties:Policy
[Optional]PolicyType
. Description: A policy that is included in this policy. A policy whose target matches the decision request MUST be considered. A policy whose target property does not match the decision request SHALL be ignored.PolicyReference
[Optional]PolicyReference
is a URI, then it MAY be resolvable. A policy whose target matches the decision request MUST be considered. A policy whose target does not match the decision request SHALL be ignored.VariableDefinition
[Optional]Rule
[Optional]CombiningAlgId
property. A rule whose condition matches the decision request MUST be considered. A rule whose condition does not match the decision request SHALL be ignored.CombinerParameters
[Optional]PolicyCombinerParameters
[Optional]Policy
orPolicyReference
property within the policy. It is up to the specific combining algorithm to interpret them and adjust its behavior accordingly.RuleCombinerParameters
[Optional]Rule
property within the policy. It is up to the specific combining algorithm to interpret them and adjust its behavior accordingly.The XML Schema definitions for
Policy
andPolicyType
would appear in a separate profile for the XML representation.5.1 Policy
A
Policy
property is represented in XML as a<Policy>
element. The<Policy>
element is ofPolicyType
complex type.The
PolicyPartType
is represented as an anonymous<choice>
element information item in the XML Schema and theParts
property is not visibly represented as an element in the XML representation.The JSON Schema definitions for
Policy
andPolicyType
would appear in a separate profile for the JSON representation.Take this with a grain of salt. I haven't fully grokked JSON Schema yet.
5.1 Policy
A
Policy
property is represented in JSON as a member with the namePolicy
.Beta Was this translation helpful? Give feedback.
All reactions