Re: [xacml-users] need clarification on Target Matching in XACMLv2.0

[Roland Illig <roland.illig@gmx.de>]

hao chen schrieb:
> In XACML v2.0, 5.5 Element<Target> section, the spec states
> 
> "For the parent of the <Target> element to be applicable to the
> decision request, there MUST be at least one positive match between
> each section of the <Target> element and the corresponding section of
> the <xacml context:Request> element."
> 
> I need some kind of clarification on the statement. For example, if I
> define a subject with 2 attributs in the target of a xacml policy
> such as: &role;account manager &department;customer service and the
> PDP gets a request which has a subject with only 1 attribute as 
> &role:account manager
> 
> Does this request subject match the subject defined in the target of
> the policy and will the rule defined to the target will be evaluated?
> 

It depends. There are two possible ways:

1. The subject must have _both_ roles:

<Subjects>
 <Subject>
  <SubjectMatch MatchId="string-equal">
   <AttributeValue>account manager</AttributeValue>
   <SubjectAttributeDesignator AttributeId="role">
  </SubjectMatch>
  <SubjectMatch MatchId="string-equal">
   <AttributeValue>customer service</AttributeValue>
   <SubjectAttributeDesignator AttributeId="role">
  </SubjectMatch>
 </Subject>
</Subjects>

2. The subject must have _at least one_ role:

 <Subject>
  <SubjectMatch MatchId="string-equal">
   <AttributeValue>account manager</AttributeValue>
   <SubjectAttributeDesignator AttributeId="role">
  </SubjectMatch>
 </Subject>
 <Subject>
  <SubjectMatch MatchId="string-equal">
   <AttributeValue>customer service</AttributeValue>
   <SubjectAttributeDesignator AttributeId="role">
  </SubjectMatch>
 </Subject>

In case 1, there is one <Subject> with two <SubjectMatch>es. For a
<Subject> to match, _all_ <SubjectMatches> have to match.

In case 2, there are two <Subject>s, each having one <SubjectMatch>. For
a <Subjects> to match, only _one_ <Subject> needs to match.

Roland