oasis-tcs · cdanger · Nov 14, 2023
diff --git a/5.21 Element Rule.adoc b/5.21 Element Rule.adoc
@@ -1,6 +1,6 @@
 = 5.21 Element <Rule> =
 
-The `<Rule>` element SHALL define the individual *_rules_* in the *_policy_*. The main components of this element are the `<Target>`, `<Condition>`, `<ObligationExpressions>` and `<AdviceExpressions>` elements and the `Effect` attribute.
+The `<Rule>` element SHALL define the individual *_rules_* in the *_policy_*. The main components of this element are the `<Target>`, `<Condition>`, `<ObligationExpressions>`, `<AdviceExpressions>` and `<VariableDefinition>` elements and the `Effect` attribute.
 
 A `<Rule>` element may be evaluated, in which case the evaluation procedure defined in Section 7.10 SHALL be used.
 
@@ -11,9 +11,11 @@ A `<Rule>` element may be evaluated, in which case the evaluation procedure defi
    <xs:sequence>
           <xs:element ref="xacml:Description" minOccurs="0"/>
           <xs:element ref="xacml:Target" minOccurs="0"/>
+          <xs:element ref="xacml:VariableDefinition" minOccurs="0" maxOccurs="unbounded"/>
           <xs:element ref="xacml:Condition" minOccurs="0"/>
           <xs:element ref="xacml:ObligationExpressions" minOccurs="0"/>
-          <xs:element ref="xacml:AdviceExpressions" minOccurs="0"/>     </xs:sequence>
+          <xs:element ref="xacml:AdviceExpressions" minOccurs="0"/>
+   </xs:sequence>
    <xs:attribute name="RuleId" type="xs:string" use="required"/>
    <xs:attribute name="Effect" type="xacml:EffectType" use="required"/>
 </xs:complexType>
@@ -31,6 +33,8 @@ The `<Rule>` element contains the following attributes and elements:
 
 `<Target>` [Optional]:: Identifies the set of *_decision requests_* that the `<Rule>` element is intended to evaluate. If this element is omitted, then the *_target_* for the `<Rule>` SHALL be defined by the `<Target>` element of the enclosing `<Policy>` element. See Section 7.7 for details.
 
+`<VariableDefinition>` [Any Number]:: Common variable definitions that can be referenced from anywhere in the `<Condition>`, `<ObligationExpressions>` and `<AdviceExpressions>` of this *_rule_* where an expression can be found.
+
 `<Condition>` [Optional]:: A *_predicate_* that MUST be satisfied for the *_rule_* to be assigned its `Effect` value.
 
 `<ObligationExpressions>` [Optional]:: A *_conjunctive sequence_* of *_obligation_* expressions which MUST be evaluated into *_obligations_* by the PDP. The corresponsding *_obligations_* MUST be fulfilled by the *_PEP_* in conjunction with the *_authorization decision_*.  See Section 7.18 for a description of how the set of *_obligations_* to be returned by the *_PDP_* SHALL be determined. See section 7.2 about enforcement of *_obligations_*.

diff --git a/5.23 Element VariableDefinition.adoc b/5.23 Element VariableDefinition.adoc
@@ -1,6 +1,6 @@
 = 5.23 Element <VariableDefinition> =
 
-The `<VariableDefinition>` element SHALL be used to define a value that can be referenced by a `<VariableReference>` element. The name supplied for its `VariableId` attribute SHALL NOT occur in the `VariableId` attribute of any other `<VariableDefinition>` element within the encompassing *_policy_*.  The `<VariableDefinition>` element MAY contain undefined `<VariableReference>` elements, but if it does, a corresponding `<VariableDefinition>` element MUST be defined later in the encompassing *_policy_*. `<VariableDefinition>` elements MAY be grouped together or MAY be placed close to the reference in the encompassing *_policy_*. There MAY be zero or more references to each `<VariableDefinition>` element.
+The `<VariableDefinition>` element SHALL be used to define a value that can be referenced by a `<VariableReference>` element. The name supplied for its `VariableId` attribute SHALL NOT occur in the `VariableId` attribute of any other `<VariableDefinition>` element within the encompassing *_policy_* or *_rule_*.  To prevent circular references, a `<VariableDefinition>` element MUST be defined before being referenced by a `<VariableReference>` element in the encompassing *_policy_* or *_rule_*. `<VariableDefinition>` elements MAY be grouped together or MAY be placed close to the reference in the encompassing *_policy_* or *_rule_*. There MAY be zero or more references to each `<VariableDefinition>` element.
 
 [source,xml]
 ----

diff --git a/5.24 Element VariableReference.adoc b/5.24 Element VariableReference.adoc
@@ -1,6 +1,6 @@
 = 5.24 Element <VariableReference> =
 
-The `<VariableReference>` element is used to reference a value defined within the same encompassing `<Policy>` element. The `<VariableReference>` element SHALL refer to the `<VariableDefinition>` element by *_identifier equality_* on the value of their respective `VariableId` attributes. One and only one `<VariableDefinition>` MUST exist within the same encompassing `<Policy>` element to which the `<VariableReference>` refers. There MAY be zero or more `<VariableReference>` elements that refer to the same `<VariableDefinition>` element.
+The `<VariableReference>` element is used to reference a value defined within the same encompassing `<Policy>` or `<Rule>` element. The `<VariableReference>` element SHALL refer to the `<VariableDefinition>` element by *_identifier equality_* on the value of their respective `VariableId` attributes. One and only one `<VariableDefinition>` MUST exist within the same encompassing `<Policy>` or `<Rule>` element to which the `<VariableReference>` refers. There MAY be zero or more `<VariableReference>` elements that refer to the same `<VariableDefinition>` element.
 
 [source,xml]
 ----

diff --git a/7.8 VariableReference Evaluation.adoc b/7.8 VariableReference Evaluation.adoc
@@ -1,7 +1,7 @@
 = 7.8 VariableReference Evaluation =
 
-The `<VariableReference>` element references a single `<VariableDefinition>` element contained within the same `<Policy>` element. A `<VariableReference>` that does not reference a particular `<VariableDefinition>` element within the encompassing `<Policy>` element is called an undefined reference. *_Policies_* with undefined references are invalid.
+The `<VariableReference>` element references a single `<VariableDefinition>` element contained within the same `<Policy>` or `<Rule>` element. A `<VariableReference>` that does not reference a particular `<VariableDefinition>` element within the encompassing `<Policy>` or `<Rule>` element is called an undefined reference. *_Policies_* and *_Rules_* with undefined references are invalid.
 
-In any place where a `<VariableReference>` occurs, it has the effect as if the text of the `<Expression>` element defined in the `<VariableDefinition>` element replaces the `<VariableReference>` element. Any evaluation scheme that preserves this semantic is acceptable. For instance, the expression in the `<VariableDefinition>` element may be evaluated to a particular value and cached for multiple references without consequence. (I.e. the value of an `<Expression>` element remains the same for the entire *_policy_* evaluation.)  This characteristic is one of the benefits of XACML being a declarative language.
+In any place where a `<VariableReference>` occurs, it has the effect as if the text of the `<Expression>` element defined in the `<VariableDefinition>` element replaces the `<VariableReference>` element. Any evaluation scheme that preserves this semantic is acceptable. For instance, the expression in the `<VariableDefinition>` element may be evaluated to a particular value and cached for multiple references without consequence. (I.e. the value of an `<Expression>` element remains the same for the entire evaluation of the *_policy_* or *_rule_* where the `<VariableDefinition>` is defined.)  This characteristic is one of the benefits of XACML being a declarative language.
 
 A variable reference containing circular references is invalid. The PDP MUST detect circular references either at policy loading time or during runtime evaluation. If the PDP detects a circular reference during runtime the variable reference evaluates to "Indeterminate" with status code urn:oasis:names:tc:xacml:1.0:status:processing-error.
diff --git a/xacml-core-v3-schema-wd-17.xsd b/xacml-core-v3-schema-wd-17.xsd
@@ -375,6 +375,7 @@
 		<xs:sequence>
 			<xs:element ref="xacml:Description" minOccurs="0"/>
 			<xs:element ref="xacml:Target" minOccurs="0"/>
+			<xs:element ref="xacml:VariableDefinition" minOccurs="0" maxOccurs="unbounded"/>
 			<xs:element ref="xacml:Condition" minOccurs="0"/>
 			<xs:element ref="xacml:ObligationExpressions" minOccurs="0"/>
 			<xs:element ref="xacml:AdviceExpressions" minOccurs="0"/>