[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] need clarification on Target Matching in XACML v2.0
>In case 1, there is one <Subject> with two <SubjectMatch>es. For a > <Subject> to match, _all_ <SubjectMatches> have to match. In page 88 of XACML spec v2.0, it says: The absence of matching attributes in the request context for any of the attribute designators or selectors that are found in the policy SHALL result in a <Decision> element containing the "Indeterminate" value. So, if PDP gets a request which has a subject with only 1attribute as &role:account manager, the PDP should returns Indeterminate with required attribute &department. Is that correct? thanks hao --- On Fri, 10/31/08, Roland Illig <roland.illig@gmx.de> wrote: > From: Roland Illig <roland.illig@gmx.de> > Subject: Re: [xacml-users] need clarification on Target Matching in XACML v2.0 > To: d95776@yahoo.com > Cc: xacml-users@lists.oasis-open.org > Date: Friday, October 31, 2008, 12:26 PM > hao chen schrieb: > > In XACML v2.0, 5.5 Element<Target> section, the > spec states > > > > "For the parent of the <Target> element to > be applicable to the > > decision request, there MUST be at least one positive > match between > > each section of the <Target> element and the > corresponding section of > > the <xacml context:Request> element." > > > > I need some kind of clarification on the statement. > For example, if I > > define a subject with 2 attributs in the target of a > xacml policy > > such as: &role;account manager > &department;customer service and the > > PDP gets a request which has a subject with only 1 > attribute as > > &role:account manager > > > > Does this request subject match the subject defined in > the target of > > the policy and will the rule defined to the target > will be evaluated? > > > > It depends. There are two possible ways: > > 1. The subject must have _both_ roles: > > <Subjects> > <Subject> > <SubjectMatch MatchId="string-equal"> > <AttributeValue>account > manager</AttributeValue> > <SubjectAttributeDesignator > AttributeId="role"> > </SubjectMatch> > <SubjectMatch MatchId="string-equal"> > <AttributeValue>customer > service</AttributeValue> > <SubjectAttributeDesignator > AttributeId="role"> > </SubjectMatch> > </Subject> > </Subjects> > > 2. The subject must have _at least one_ role: > > <Subject> > <SubjectMatch MatchId="string-equal"> > <AttributeValue>account > manager</AttributeValue> > <SubjectAttributeDesignator > AttributeId="role"> > </SubjectMatch> > </Subject> > <Subject> > <SubjectMatch MatchId="string-equal"> > <AttributeValue>customer > service</AttributeValue> > <SubjectAttributeDesignator > AttributeId="role"> > </SubjectMatch> > </Subject> > > In case 1, there is one <Subject> with two > <SubjectMatch>es. For a > <Subject> to match, _all_ <SubjectMatches> have > to match. > > In case 2, there are two <Subject>s, each having one > <SubjectMatch>. For > a <Subjects> to match, only _one_ <Subject> > needs to match. > > Roland
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]