[Attempto] ACE for XACML?

Norbert E. Fuchs fuchs at ifi.uzh.ch
Mon Nov 15 16:24:49 CET 2010

Previous message: [Attempto] ACE for XACML?
Next message: [Attempto] ACE for XACML?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15 Nov 2010, at 12:57, Brad Cox wrote:

> ...
> Here is my first crack at parsing XACML policy into ACE. Its not
> correct yet, shown mainly to show the kind of issues I'm facing.
> 
> First question is whether ACE has anything that works like parentheses
> in Java for disambiguating all those embedded ands and ors. If not,
> how should I handle this? My prior version handled this with
> parentheses, temporarily removed to get closer to valid ACE.
> 
> /*Rule View5thFleetHomePage*/
> if the  url is "@urlprefix@/demo/Fifth-Fleet" then
> if  the countryofcitizenship  is "US"  and  the organizationid  is in
> {"USN" , "USMC" }  and  the dutyoccupationalcode  is in   {"2101" ,
> "2201" , "2207" , "2206" , "2803" , "2301" , "2302" , "2303" , "0302"
> , "0326" , "0342" , "0319" , "0345" , "2801" , "1494" , "2821" ,
> "5974" }  and  not ( the paygrade  is in   {"E1" , "E2" , "E3" , "E4"
> , "E5" , "E6" } )  and  the personnelcategorycode  is in   {"A" , "C"
> }  and "Country Yellow"  is in  the geographicsubregion  or "Fifth
> Fleet"  is in  the geographicsubregion  and "CTF 153"  is in  the
> extendedgroup  or "Fifth Fleet"  is in  the extendedgroup  or "Second
> Fleet"  is in  the extendedgroup  or "Third Fleet"  is in  the
> extendedgroup  or "Fourth Fleet"  is in  the extendedgroup  or "Sixth
> Fleet"  is in  the extendedgroup  or "Seventh Fleet"  is in  the
> extendedgroup  or "CSG1"  is in  the extendedgroup  or "CSG2"  is in
> the extendedgroup
> then the response's decision is Permit.

Three answers. 

First, ACE doesn't have parentheses. 

Second, your example reminds me of a statement of the "ACE 6.5 Troubleshooting Guide", namely "Though the ACE parser will unravel every syntactically correct sentence, however complex, you may have problems to do so. Thus keep your sentences short and simple.". Thus I suggest that you consider breaking your sentence into pieces that are digestible also by human readers.

Third, words like "extendedgroup" and "personnelcategorycode" are ugly. Either break them up or – if this is not possible – at least hyphenate them.

> Next question isn't clear in this example (because I stripped most of
> it to get this far). XACML uses about a hundred functions for doing
> standard operations on strings, integers, bags, sets, etc. Is there a
> way to call a Java function from ACE?

No. This would defy the very intentions why we developed ACE.

> If not, I'd need to find a way
> to spell out each function's internals in ACE which would really hurt
> readability. As one example, the one-and-only function surrounds most
> of the attribute references in this example; i.e. the above should
> really read one-and-only(countryofcitizenship) and so forth for every
> instance. Even rephrasing one-and-only as "sole", that gets pretty
> unwieldy; i.e. "if the sole countryofcitizenship is "US"..., and
> doesn't address what to do with the other 99 xacml functions.

In the end you yourself will have to map ACE expressions to XACML, possibly – as Kaarel suggested – via OWL.

> Also do C-style comments work as shown above? Guesswork...

They do.

Regards.

   --- nef

Previous message: [Attempto] ACE for XACML?
Next message: [Attempto] ACE for XACML?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the attempto mailing list