Re: [xacml-dev] Evaluation of multiple subjects and resources

[Seth Proctor <Seth.Proctor@sun.com>]

On May 26, 2005, at 9:08 AM, Kuketayev, Argyn (Contractor) wrote:
> If the request context contains multiple subjects with the same
> SubjectCategory XML attribute, then they SHALL be treated as if they
> were one categorized subject.

If you have multiple Subjects have the same category, then they're  
the same Subject. That's correct. What would it mean to have multiple  
Subjects listed in the same category when they're actually different?  
I'm not sure I follow.

> Suppose, there's two subjects of the same subject category, S1 with
> attribute name equal to "The one" and a role equal to "Keeper", then
> there's S2 with name "The one" and role "Beeper". So, if I have a  
> target
> which required name match "The one" and a role match "Keeper", then
> according to the spec these two Subjects will be treated as one  
> subject
> with two multivalued attributes name and role. This "virtual" subject
> will match the target.

I think maybe your confusion is over why you can specify multiple  
Subjects. If information for both you and I is included in a Request,  
this doesn't mean that the Request says "tell me about access for  
Argyn and also tell me about access for Seth." The idea is that  
you're asking about access for _one_ Subject, but that Subject may  
take different forms, have supporting Subjects, etc.

For instance, asking about "Seth" may be different than "Seth  
connected from a specific workstation" which may be different than  
"Seth collaborating with Argyn." All of those are asking about me,  
but depending on the scenario, there may be many Subjects involved.  
In all cases, I get back only a single Result in the Response.

I think what you're looking to do is, rather than submit separate  
Requests for you and me, submit a single request and say "tell me  
about access for Seth and also for Argyn" or "tell me about access  
for these two Subjects." Is that right?


seth