Proposal for Attribute Handling in v3
- The purpose of this proposal is to add extensible attribute categories to XACML context.
- Current specification implicitly defines following attribute categories
Multiple subject categories differentiated by Subject Category URI. (Default subject category is urn:oasis:names:tc:xacml:1.0:subject-category:access-subject)
- Resource category. Multiple resource groups may be specified in request
- Action category
- Environment category
- In this proposal all existing attribute categories in request and policy are substituted with a uniform specification.
- New categories may be added as needed, identified by a URI.
New reserved URIs are introduced to represent existing categories (for example urn:oasis:names:tc:xacml:3.0:context-category:resource)
- Existing subject categories are reused
- Request and policy refer to attributes using category and name.
- Attribute designator elements and specific target elements for exisiting categories are replaced with with a generic version that allows to specify category URI.
- XACML 2.0 requests and policies may always be translated into the new representation without any loss of functionality
- Definitions of resource attribute, subject attribute need to be changed to refer to an attribute in a specific category, rather then in a particular element.