From 330b09e41b7d9c973a87465d7fa19a154df59ddb Mon Sep 17 00:00:00 2001
From: David Waltermire
Date: Mon, 26 Jun 2023 19:33:27 -0400
Subject: [PATCH] Revert changes from usnistgov/OSCAL#1717 that address a
documented feature in the profile resolution spec that didn't exist in the
model. Instead of updating the model, this PR removes the
"with-parent-controls" feature from the profile resolution spec.
This developmental feature should be removed for the following reasons.
- This feature is not implemented in any of the current XSLT or Java implementations.
- This feature is not being requested from a significant segment of the user community. The related issue usnistgov/OSCAL#1662 has support from 1 community member outside the NIST team.
- This feature is extremely difficult to implement along with with-child-controls, which works on the opposite axis.
- IMHO, profile resolution doesn't need to be made more complicated than it already is.
---
src/metaschema/oscal_profile_metaschema.xml | 21 +++++--------------
.../profile-resolution-specml.xml | 19 +----------------
2 files changed, 6 insertions(+), 34 deletions(-)
diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml
index 54455ddbc5..9ebb987eb8 100644
--- a/src/metaschema/oscal_profile_metaschema.xml
+++ b/src/metaschema/oscal_profile_metaschema.xml
@@ -81,24 +81,13 @@
Identifies that all controls are to be included from the imported catalog or profile.
-
- Select Control
- Select a control or controls from an imported control set.
-
-
-
-
-
-
-
-
-
-
+
+ include-controls
+
If with-child-controls
is yes
on the call to a control, any controls appearing within it (child controls) will be selected, with no additional call
directives required. This flag provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.
- If with-parent-controls is "yes" on the call to a control, it will not be selected and removed from (shown without) a parent control, but instead will be copied with its parent in the source. This flag provides a way to include controls with all their ancestor controls (enhancements) without having to call them individually.
-
+
exclude-controls
@@ -416,7 +405,7 @@
- Select Controls
+ Insert Controls
Specifies which controls to use in the containing context.
Order
diff --git a/src/specifications/profile-resolution/profile-resolution-specml.xml b/src/specifications/profile-resolution/profile-resolution-specml.xml
index baa59f4664..4ec60df709 100644
--- a/src/specifications/profile-resolution/profile-resolution-specml.xml
+++ b/src/specifications/profile-resolution/profile-resolution-specml.xml
@@ -562,7 +562,7 @@ include-controls:
Dealing with Nested Controls and Groups
In OSCAL, controls may contain child controls. For instance, in SP 800-53 many controls are supplemented with control enhancements; in OSCAL these are represented as child controls within parent controls. So parent AC-2 (in a given catalog) has children AC-2(1) through AC-2(13), for example.
- By default, inclusion of a control also causes any of that control's ancestors (or parents) to also be included. By default, inclusion of a control DOES NOT cause the inclusion of any descendants (or children) of that control to be included. This applies to both controls and groups.
+ By default, inclusion of a control also causes any of that control's ancestors to also be included. By default, inclusion of a control DOES NOT cause the inclusion of any descendants of that control to be included. This applies to both controls and groups.
This default behavior can be modified by the following two optional children of the
include-controls object.
@@ -580,23 +580,6 @@ include-controls:
directive as being equivalent to one having with-child-controls:no.
-
- with-parent-controls
- Although similar to the above
- with-child-controls, the optional
- with-parent-controls applies to parents of the included control, and has the opposite default behavior. In order to maintain the structure of the source catalog, profile resolution includes all parents of an included control by default. If a profile author wants to change this structure, they should use an exclude directive that lists all of the undesired parents. As a shortcut for this,
- with-parent-controls provides the following functionality:
-
- A with-parent-controls:
- yes directive on an include-controls indicates that all parent
- controls of the included control MUST also be included.
- A with-parent-controls:
- no directive on an include-controls indicates that ONLY the
- matching control is included, any parent MUST NOT be included.
- If no with-parent-controls is provided, the processor MUST
- consider the directive as being equivalent to one having
- with-parent-controls:yes.
-