[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] Target merging and matching
This helps in the case were there are two identical attributes, but you can
resolve that issue by simply allowing an OR, which is a lot easier to
program. The real problem occurs when a target has multiple subjects or
resources as it appears to be impossible to retain that grouping after a
target merge.
The simplest solution from a programming perspective is to add a wrapping
node around the Subjects, Resources and Actions.
e.g.
Target
Subjects (Subjects from rule 1)
Subject
role=nurse
Subject
otherAttr=otherValue
Subjects (Subjects from rule 2)
Subject
role=doctor
Now you can simply check to see if one of the Subjects matches the request
Target, in which case you know that one of the rules applies.
There is an issue if there are multiple Subjects and multiple Resources, but
I wouldn't expect rules to be written this way. You would think that an
administrator would group together all the rules for a particular resource,
or alternatively all the rules for a particular subject.
The potential problem with the MatchId is the complexity, from a programming
point of view, of computing a merge. If you allow too much flexibility the
merge software becomes incredibly complex.
John.
----- Original Message -----
From: "Anne Anderson" <Anne.Anderson@Sun.com>
To: "John Howard" <john.howard9@btinternet.com>
Cc: <xacml-comment@lists.oasis-open.org>
Sent: Tuesday, July 23, 2002 3:38 PM
Subject: Re: [xacml-comment] Target merging and matching
> On 23 July, John Howard writes: [xacml-comment] Target merging and
matching
> > I am trying to understand how the Target is computed and how
> > the computed Target is then matched. It is difficult to
> > understand the intentions of the spec when combining targets.
> > Is it that the rules must have similar Targets if an overall
> > Target is to be computed.
> >
> > The issue can be summed up in the following example.
> >
>
> > I have a rule set of two rules. One applies to a subject with
> > the role Nurse, the other applies to a subject with the role
> > Doctor. So I have:
> >
> > RuleSet
> > Rule (Rule1)
> > Target
> > Subjects
> > role=nurse
> >
> > Rule (Rule2)
> > Target
> > Subjects
> > role=doctor
> >
> > If this is legal then there would be an overall target of:
> >
> > Target
> > Subjects
> > role=nurse
> > Subjects
> > role=doctor
>
> Whether the Targets in the two rules can be merged to produce a
> policy Target more precise than "*" (match any) depends on the
> set of "MatchIdType" functions we eventually support.
>
> draft-xacml-schema-policy-15i.xsd includes the
> "non-null-set-intersection" function in "MatchIdType". Using
> this, you would express your merged Target as follows:
>
> <Target>
> <Subjects MatchId="function:non-null-set-intersection"
DataType="xs:boolean">
> <AttributeDesignator
> Designator="//xacmlContext/Request/Subject
> /Attribute[@AttributeId="urn:XHospital:role"]"
> DataType="xs:listOfString"/>
> <Attribute DataType="xs:listOfString">
> "nurse" "doctor"
> </Attribute>
> </Subjects>
>
> Does this help?
>
> Anne
> --
> Anne H. Anderson Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
> Burlington, MA 01803-0902 USA Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC