[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] just on little questions
On Fri, 2009-08-14 at 09:55 +0200, Jan Herrmann wrote: > Hi all, > > Just a one little question: > > > > In XACML v.3.0 examples (e.g. in the XACML 3.0 core and hierarchical > RBAC profile line 241) you always open and close AnyOf elements after > each indicidual match element. I don’t understand why this is done > this way and as I saw it in various examples I wonder if it is done > with some special purpose. From my point of view the same could be > done with only one <AnyOf> element under target that has under its > only AllOf child all the Match elements. > > It a sort of leftover from XACML 2.0 (although I think it makes sense, as I'll explain shortly). The AnyOf elements in 2.0 where named Subjects, Resources, Actions and Environments and would contain only Subject, Resource etc Matches. Although it's possible in 3.0 to throw all Match elements under one AnyOf/AllOf or make a DNF, I believe it's better to keep on doing as in XACML 2.0 and separate Matches for different attribute categories under different AnyOf elements. The performance hit is minimal (if any), and managing/editing policies is greatly simplified if the Matches are cleanly separated. /Ludwig -- Ludwig Seitz, PhD | Axiomatics AB Training & Development | Electrum 223 Phone: +46 (0)703 83 08 00 | S-164 40 Kista, Sweden Mail: ludwig@axiomatics.com |
This is a digitally signed message part
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]