[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] Target merging and matching
On 23 July, John Howard writes: [xacml-comment] Target merging and matching > I am trying to understand how the Target is computed and how > the computed Target is then matched. It is difficult to > understand the intentions of the spec when combining targets. > Is it that the rules must have similar Targets if an overall > Target is to be computed. > > The issue can be summed up in the following example. > > I have a rule set of two rules. One applies to a subject with > the role Nurse, the other applies to a subject with the role > Doctor. So I have: > > RuleSet > Rule (Rule1) > Target > Subjects > role=nurse > > Rule (Rule2) > Target > Subjects > role=doctor > > If this is legal then there would be an overall target of: > > Target > Subjects > role=nurse > Subjects > role=doctor Whether the Targets in the two rules can be merged to produce a policy Target more precise than "*" (match any) depends on the set of "MatchIdType" functions we eventually support. draft-xacml-schema-policy-15i.xsd includes the "non-null-set-intersection" function in "MatchIdType". Using this, you would express your merged Target as follows: <Target> <Subjects MatchId="function:non-null-set-intersection" DataType="xs:boolean"> <AttributeDesignator Designator="//xacmlContext/Request/Subject /Attribute[@AttributeId="urn:XHospital:role"]" DataType="xs:listOfString"/> <Attribute DataType="xs:listOfString"> "nurse" "doctor" </Attribute> </Subjects> Does this help? Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC