- From: Dominique Hazael-Massieux via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 21 Jun 2010 13:43:13 +0000
- To: public-dap-commits@w3.org
Update of /sources/public/2009/dap/policy In directory hutz:/tmp/cvs-serv12503 Modified Files: Profile.html Log Message: removed (some of) the abusive <code> wrappers Index: Profile.html =================================================================== RCS file: /sources/public/2009/dap/policy/Profile.html,v retrieving revision 1.13 retrieving revision 1.14 diff -u -d -r1.13 -r1.14 --- Profile.html 21 Jun 2010 13:35:37 -0000 1.13 +++ Profile.html 21 Jun 2010 13:43:11 -0000 1.14 @@ -47,7 +47,7 @@ <section id="values-and-types"> <h3>Values and Types</h3> <p>Each value in an expression is conceptually a - <code>bag</code> of potentially multiple simple values. The + bag of potentially multiple simple values. The bag can be empty, containing no simple values. In practice almost every value encountered in the model is either an empty bag or a bag containing a single simple @@ -152,10 +152,10 @@ </section> <!-- subject-specification --> <section id="target"> <h3>Target</h3> - <p>The <code>target</code> of a <code>policy</code> or - <code>policy set</code> identifies the set of - <code>subjects</code> to which the <code>policy</code> or - <code>policy set</code> applies. </p> + <p>The <code>target</code> of a policy or + policy set identifies the set of + subjects to which the policy or + policy set applies. </p> <p>The <code>target</code> consists of a disjunctive sequence of <code>subject</code> specifications. A target specification is @@ -173,13 +173,13 @@ </section> <!-- target --> <section id="decision"> <h3>Decision</h3> - <p>If determined, the result of a <code>rule</code> or - <code>policy</code> or <code>policy set</code> is a - <code>decision</code>, either “not applicable” or any one of - the <a href="#effect"><code>effects</code></a> “permit”, - “prompt-blanket”, “prompt-session”, “prompt-oneshot” or - “deny”. </p> <p> The result of a <code>rule</code> or - <code>policy</code> or <code>policy set</code> may be + <p>If determined, the result of a rule or + policy or policy set is a + decision, either “not applicable” or any one of + the <a href="#effect">effects</a> “<code>permit</code>”, + “<code>prompt-blanket</code>”, “<code>prompt-session</code>”, “<code>prompt-oneshot</code>” or + “<code>deny</code>”. </p> <p> The result of a rule or + policy or policy set may be undetermined under conditions specified for each below. </p> </section> <!-- decision --> @@ -234,8 +234,8 @@ <code>policy</code> optionally has an id. If an implementation provides a means to provision a security policy fragment to replace an existing one, this id can - be used to identify the <code>policy</code> or <code>policy - set</code> to replace. No management of ids is mandated, + be used to identify the policy or policy + set to replace. No management of ids is mandated, therefore it is recommended that a standardised textual representation of a UUID should be used as the id. </p> <p> The result of a policy is determined if and only if @@ -243,12 +243,12 @@ </section> <!-- policy --> <section id="policy-set"> <h3>Policy Set</h3> - <p>The overall security framework is a <code>policy - set</code>. </p> <p> A <code>policy set</code> is a target + <p>The overall security framework is a policy + set. </p> <p> A <code>policy-set</code> is a target with a list of zero or more <code>policies</code> and <code>policy sets</code> combined using a <a - href="#combining-algorithm"><code>policy-combining - algorithm</code></a>. Where a directive attribute query + href="#combining-algorithm">policy-combining + algorithm</a>. Where a directive attribute query finds more than one applicable directive attribute set, the first one is used. </p> <p> A <code>policy set</code> optionally has an id. If an implementation provides a @@ -267,16 +267,16 @@ fragment of policy to add to the existing security policy framework or to replace a part of it, the <code>policy document</code> is the unit of addition or - replacement. A <code>policy document</code> can be either a - <code>policy</code> or a <code>policy set</code>. </p> + replacement. A policy document can be either a + <code>policy</code> or a <code>policy-set</code>. </p> </section> <!-- policy-document --> <section id="signed-policy-document"> <h3>Signed Policy Document</h3> <p>Where the implementation supports deployment of - policy fragments as above, the <code>signed policy - document</code> is the cryptographically signed unit of - deployment. It contains one or more <code>policy - documents</code> as well as a single signature. </p> + policy fragments as above, the signed policy + documentx is the cryptographically signed unit of + deployment. It contains one or more policy + documents as well as a single signature. </p> </section> <!-- signed-policy-document --> <section id="matching-function"> <h3>Matching Function</h3> @@ -380,26 +380,26 @@ </section> <!-- modifier-function --> <section id="combining-algorithm"> <h3>Combining Algorithm</h3> - <p>The <code>policy-combining algorithm</code> for a - <code>policy set</code> determines how child - <code>policies</code> and <code>policy sets</code> are combined. - </p> <p>The <code>rule-combining algorithm</code> for a - <code>policy</code> determines how child <code>rules</code> are + <p>The policy-combining algorithm for a + policy set determines how child + policies and policy sets are combined. + </p> <p>The rule-combining algorithm for a + policy determines how child rules are combined. </p> <p>The algorithms are described in the - following subsections. The term <code>child</code> is used - to mean the child <code>rules</code> in the <code>policy</code> - when applying the <code>policy's rule-combining - algorithm</code>, or the child <code>policies</code> and - <code>policy sets</code> in the <code>policy set</code> when - applying the <code>policy set's policy-combining - algorithm</code>. </p> + following subsections. The term “child” is used + to mean the child rules in the policy + when applying the policy's rule-combining + algorithm, or the child policies and + policy sets in the policy set when + applying the policy set's policy-combining + algorithm. </p> <section id="deny-overrides-combining-algorithm"> <h4>Deny-Overrides Combining Algorithm</h4> <p>The Deny-Overrides Combining Algorithm is usable as a policy-combining algorithm and as a rule-combining algorithm. </p> <p>The overall result of a - <code>query</code> is evaluated as follows:</p> + query is evaluated as follows:</p> <ul> <li>if any child evaluates to "deny", then the overall result is @@ -427,7 +427,7 @@ <h4>Permit-Overrides Combining Algorithm</h4> <p>The Permit-Overrides Combining Algorithm is usable as a policy-combining algorithm and as a rule-combining - algorithm. The overall result of a <code>query</code> is + algorithm. The overall result of a query is evaluated as follows:</p> <ul> <li>if any child evaluates to @@ -490,16 +490,16 @@ </section> <!-- combining-algorithm --> <section id="effect"> <h3>Effect</h3> - <p>The <code>effect</code> of a <code>rule</code> is one of the + <p>The effectx of a <code>rule</code> is one of the following: </p> <section id="permit"> <h4>Permit</h4> - <p>This <code>effect</code> allows requested access without + <p>This effect allows requested access without user interaction. </p> </section> <!-- permit --> <section id="deny"> <h4>Deny</h4> - <p>This <code>effect</code> denies requested access without + <p>This effect denies requested access without user interaction. </p> </section> <!-- deny --> <section id="prompt-x"> @@ -511,7 +511,7 @@ <p>The implementation MUST only provide the user the option to grant permission up to the maximum - allowed by the <code>effect</code>, ie: </p> + allowed by the effect, ie: </p> <ul> <li>prompt-oneshot: "deny always", "deny this time", "allow this time";</li> @@ -542,20 +542,20 @@ </section> <!-- effect --> <section id="query"> <h3>Query</h3> - <p>A <code>query</code> represents a specific instance of a + <p>A query represents a specific instance of a security policy being evaluated in order to make an access control decision relating to an attempted - operation by a web application. </p> <p>A <code>query</code> - is characterised by the collection of <code>subject - attributes</code> associated with the web application - instance, the collection of <code>resource attributes</code> + operation by a web application. </p> <p>A query + is characterised by the collection of subject + attributes associated with the web application + instance, the collection of resource attributes associated with the attempted operation, and the - collection of <code>environment attributes</code> associated + collection of environment attributes associated with the circumstances of the attempt. The determinedness of each of these attributes is in - accordance with the <code>execution phase</code> of the - attempt. </p> <p>A <code>query</code> is evaluated against a - <code>policy-set</code>, resulting in a <code>decision</code> in + accordance with the execution phase of the + attempt. </p> <p>A query is evaluated against a + <code>policy-set</code>, resulting in a decision in accordance with the evaluation rules defined in this specification. </p> </section> <!-- query -->
Received on Monday, 21 June 2010 13:43:15 UTC