Skip to content

Commit

Permalink
Update xacml-v4.0-csd01.md
Browse files Browse the repository at this point in the history
  • Loading branch information
cdanger authored Sep 26, 2024
1 parent c3ef718 commit ac20b32
Showing 1 changed file with 35 additions and 33 deletions.
68 changes: 35 additions & 33 deletions xacml-v4.0-csd01.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,137 +153,139 @@ XACML 4.0 differs from XACML 3.0 in the following ways:

### 1.2.1 Definitions of terms

<!-- The following syntax (: definition) for definition lists requires the 'definition_lists' extension enabled in the pandoc command (-f gfm+definition_lists) to be rendered properly. -->

**Access**

* Performing an **_action_**
: Performing an **_action_**.

**Access control**

* Controlling **_access_** in accordance with a **_policy_**
: Controlling **_access_** in accordance with a **_policy_**.

**Action**

* An operation on a **_resource_**
: An operation on a **_resource_**.

**Advice**

* A supplementary piece of information in a **_policy_** which is provided to the **_PEP_** with the **_decision_** of the **_PDP_**.
: A supplementary piece of information in a **_policy_** which is provided to the **_PEP_** with the **_decision_** of the **_PDP_**.

**Applicable policy**

* The set of **_policies_** that governs **_access_** for a specific **_decision request_**
: The set of **_policies_** that governs **_access_** for a specific **_decision request_**.

**Attribute**

* Characteristic of a **_subject_**, **_resource_**, **_action_** or **_environment_** that may be referenced in a **_predicate_** (see also – **_named attribute_**)
: Characteristic of a **_subject_**, **_resource_**, **_action_** or **_environment_** that may be referenced in a **_predicate_** (see also – **_named attribute_**).

**Authorization decision**

* The result of evaluating **_applicable policy_**, returned by the **_PDP_** to the **_PEP_**. A function that evaluates to `Permit`, `Deny`, `Indeterminate` or `NotApplicable`, and (optionally) a set of **_obligations_** and **_advice_**
: The result of evaluating **_applicable policy_**, returned by the **_PDP_** to the **_PEP_**. A function that evaluates to `Permit`, `Deny`, `Indeterminate` or `NotApplicable`, and (optionally) a set of **_obligations_** and **_advice_**.

**Bag**

* An unordered collection of values, in which there may be duplicate values
: An unordered collection of values, in which there may be duplicate values.

**Combining algorithm**

* The procedure for combining the **_decision_**, **_obligations_** and **_advice_** from multiple **_policies_** and **_rules_**
: The procedure for combining the **_decision_**, **_obligations_** and **_advice_** from multiple **_policies_** and **_rules_**.

**Condition**

* An expression of **_predicates_**. A function that evaluates to `True`, `False` or `Indeterminate`
: An expression of **_predicates_**. A function that evaluates to `True`, `False` or `Indeterminate`.

**Conjunctive sequence**

* A sequence of **_predicates_** combined using the logical `AND` operation
: A sequence of **_predicates_** combined using the logical `AND` operation.

**Context**

* The canonical representation of a **_decision request_** and an **_authorization decision_**
: The canonical representation of a **_decision request_** and an **_authorization decision_**.

**Context handler**

* The system entity that converts **_decision requests_** in the native request format to the XACML canonical form, coordinates with Policy Information Points to add attribute values to the request **_context_**, and converts **_authorization decisions_** in the XACML canonical form to the native response format
: The system entity that converts **_decision requests_** in the native request format to the XACML canonical form, coordinates with Policy Information Points to add attribute values to the request **_context_**, and converts **_authorization decisions_** in the XACML canonical form to the native response format.

**Decision**

* The result of evaluating a **_rule_** or **_policy_**
: The result of evaluating a **_rule_** or **_policy_**.

**Decision request**

* The request by a **_PEP_** to a **_PDP_** to render an **_authorization decision_**
: The request by a **_PEP_** to a **_PDP_** to render an **_authorization decision_**.

**Disjunctive sequence**

* A sequence of **_predicates_** combined using the logical `OR` operation
: A sequence of **_predicates_** combined using the logical `OR` operation.

**Effect**

* The intended consequence of a satisfied **_rule_** (either `Permit` or `Deny`)
: The intended consequence of a satisfied **_rule_** (either `Permit` or `Deny`).

**Environment**

* The set of **_attributes_** that are relevant to an **_authorization decision_** and are independent of a particular **_subject_**, **_resource_** or **_action_**
: The set of **_attributes_** that are relevant to an **_authorization decision_** and are independent of a particular **_subject_**, **_resource_** or **_action_**.

**Identifier equality**

* The identifier equality operation which is defined in [Section 7.20](#720-identifier-equality).
: The identifier equality operation which is defined in [Section 7.20](#720-identifier-equality).

**Issuer**

* A set of **_attributes_** describing the source of a **_policy_**
: A set of **_attributes_** describing the source of a **_policy_**.

**Named attribute**

* A specific instance of an **_attribute_**, determined by the **_attribute_** name and type, the identity of the **_attribute_** holder (which may be of type: **_subject_**, **_resource_**, **_action_** or **_environment_**) and (optionally) the identity of the issuing authority
: A specific instance of an **_attribute_**, determined by the **_attribute_** name and type, the identity of the **_attribute_** holder (which may be of type: **_subject_**, **_resource_**, **_action_** or **_environment_**) and (optionally) the identity of the issuing authority.

**Obligation**

* An operation specified in a **_rule_** or **_policy_** that should be performed by the **_PEP_** in conjunction with the enforcement of an **_authorization decision_**
: An operation specified in a **_rule_** or **_policy_** that should be performed by the **_PEP_** in conjunction with the enforcement of an **_authorization decision_**.

**Policy**

* A set of **_rules_**, other **_policies_**, an identifier for the **_combining algorithm_** and (optionally) a set of **_obligations_** or **_advice_**. May be a component of another **_policy_**
: A set of **_rules_**, other **_policies_**, an identifier for the **_combining algorithm_** and (optionally) a set of **_obligations_** or **_advice_**. May be a component of another **_policy_**.

**Policy administration point (PAP)**

* The system entity that creates a **_policy_**
: The system entity that creates a **_policy_**.

**Policy decision point (PDP)**

* The system entity that evaluates **_applicable policy_** and renders an **_authorization decision_**. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [[RFC3198](#rfc3198)]. This term corresponds to "Access Decision Function" (ADF) in [[ISO10181-3](#iso10181-3)].
: The system entity that evaluates **_applicable policy_** and renders an **_authorization decision_**. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [[RFC3198](#rfc3198)]. This term corresponds to "Access Decision Function" (ADF) in [[ISO10181-3](#iso10181-3)].

**Policy enforcement point (PEP)**

* The system entity that performs **_access control_**, by making **_decision requests_** and enforcing **_authorization decisions_**. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [[RFC3198](#rfc3198)]. This term corresponds to "Access Enforcement Function" (AEF) in [[ISO10181-3](#iso10181-3)].
: The system entity that performs **_access control_**, by making **_decision requests_** and enforcing **_authorization decisions_**. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in [[RFC3198](#rfc3198)]. This term corresponds to "Access Enforcement Function" (AEF) in [[ISO10181-3](#iso10181-3)].

**Policy information point (PIP)**

* The system entity that acts as a source of **_attribute_** values
: The system entity that acts as a source of **_attribute_** values.

**Predicate**

* A statement about **_attributes_** whose truth can be evaluated
: A statement about **_attributes_** whose truth can be evaluated.

**Resource**

* Data, service or system component
: Data, service or system component.

**Rule**

* An **_effect_**, a **_condition_** and (optionally) a set of **_obligations_** or **_advice_**. A component of a **_policy_**
: An **_effect_**, a **_condition_** and (optionally) a set of **_obligations_** or **_advice_**. A component of a **_policy_**.

**Subject**

* An actor whose **_attributes_** may be referenced by a **_predicate_**
: An actor whose **_attributes_** may be referenced by a **_predicate_**.

**Target**

* An element of an XACML **_policy_** which matches specified values of **_resource_**, **_subject_**, **_environment_**, **_action_**, or other custom **_attributes_** against those provided in the request **_context_** as a part of the process of determining whether the **_policy_** is applicable to the current decision.
: An element of an XACML **_policy_** which matches specified values of **_resource_**, **_subject_**, **_environment_**, **_action_**, or other custom **_attributes_** against those provided in the request **_context_** as a part of the process of determining whether the **_policy_** is applicable to the current decision.

**Type Unification**

* The method by which two type expressions are "unified". The type expressions are matched along their structure. Where a type variable appears in one expression it is then "unified" to represent the corresponding structure element of the other expression, be it another variable or subexpression. All variable assignments must remain consistent in both structures. Unification fails if the two expressions cannot be aligned, either by having dissimilar structure, or by having instance conflicts, such as a variable needs to represent both `xs:string` and `xs:integer`. For a full explanation of **_type unification_**, please see [[Hancock](#hancock)].
: The method by which two type expressions are "unified". The type expressions are matched along their structure. Where a type variable appears in one expression it is then "unified" to represent the corresponding structure element of the other expression, be it another variable or subexpression. All variable assignments must remain consistent in both structures. Unification fails if the two expressions cannot be aligned, either by having dissimilar structure, or by having instance conflicts, such as a variable needs to represent both `xs:string` and `xs:integer`. For a full explanation of **_type unification_**, please see [[Hancock](#hancock)].

### 1.2.2 Related terms

Expand Down

0 comments on commit ac20b32

Please sign in to comment.