So it looks like these are not really assertions but rather just a way to carry xacml statements in a wsp:policy element, why I say this is that all you will be matching on is <xacmlws:XACMLPolicyAssertion Optional="False">.

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 [1]Inactive hide details for Anne Anderson <Anne...@sun.com>Anne Anderson <Anne...@sun.com>

Anne Anderson To OASIS XACML TC <Anne...@sun.com> <xac...@lists.oasis-open.org> cc 07/26/2006 01:29 PM Subject [xacml] Issue#47: WS-Policy Assertion profile for XACML +---------------------------+ | Please respond to | | Anne...@sun.com | +---------------------------+

Colleagues,

Now that WS-Policy has been submitted to and accepted by the W3C, it seems like we should have a standard way to carry an XACML Policy or PolicySet as an Assertion in a WS-Policy instance. I'm thinking of something like a very simple wrapper:

<xacmlws:XACMLPolicyAssertion Optional="False"> <xacml:PolicySet ...> ... </xacml:PolicySet> </xacmlws:XACMLPolicyAssertion>

Two other possible inclusions might be:

1) A signed SAML Assertion containing an instance of the XACMLAuthzDecisionStatementType that includes the corresponding Request Context; for use as an authorization credential.

<xacmlws:XACMLAuthzCredential> <saml:Assertion> ... (containing XACMLAuthzDecisionStatementType instance) </saml> </xacmlws:XACMLAuthzCredential>

2) Individual XACML <Apply> statements, for expressing individual authorization constraints.

<xacmlws:XACMLAuthzAssertion ...> <xacml:Apply FunctionId="..."> ... </xacml:Apply> </xacmlws:XACMLAuthzAssertion>

I've added this as Issue#47 to the Issues list at http://wiki.oasis-open.org/xacml/IssuesList

Regards, Anne -- Anne H. Anderson Email: Anne...@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692

References

Visible links