OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] need clarification on Target Matching in XACML v2.0

>In case 1, there is one <Subject> with two <SubjectMatch>es. For a
> <Subject> to match, _all_ <SubjectMatches> have to match.

In page 88 of XACML spec v2.0, it says:
The absence of matching attributes in the request context for any of the attribute designators or selectors that are found in the policy SHALL result in a <Decision> element containing the "Indeterminate" value.

So, if PDP gets a request which has a subject with only 1attribute as &role:account manager, the PDP should returns Indeterminate with required attribute &department. Is that correct?

thanks
hao


--- On Fri, 10/31/08, Roland Illig <roland.illig@gmx.de> wrote:

> From: Roland Illig <roland.illig@gmx.de>
> Subject: Re: [xacml-users] need clarification on Target Matching in XACML v2.0
> To: d95776@yahoo.com
> Cc: xacml-users@lists.oasis-open.org
> Date: Friday, October 31, 2008, 12:26 PM
> hao chen schrieb:
> > In XACML v2.0, 5.5 Element<Target> section, the
> spec states
> > 
> > "For the parent of the <Target> element to
> be applicable to the
> > decision request, there MUST be at least one positive
> match between
> > each section of the <Target> element and the
> corresponding section of
> > the <xacml context:Request> element."
> > 
> > I need some kind of clarification on the statement.
> For example, if I
> > define a subject with 2 attributs in the target of a
> xacml policy
> > such as: &role;account manager
> &department;customer service and the
> > PDP gets a request which has a subject with only 1
> attribute as 
> > &role:account manager
> > 
> > Does this request subject match the subject defined in
> the target of
> > the policy and will the rule defined to the target
> will be evaluated?
> > 
> 
> It depends. There are two possible ways:
> 
> 1. The subject must have _both_ roles:
> 
> <Subjects>
>  <Subject>
>   <SubjectMatch MatchId="string-equal">
>    <AttributeValue>account
> manager</AttributeValue>
>    <SubjectAttributeDesignator
> AttributeId="role">
>   </SubjectMatch>
>   <SubjectMatch MatchId="string-equal">
>    <AttributeValue>customer
> service</AttributeValue>
>    <SubjectAttributeDesignator
> AttributeId="role">
>   </SubjectMatch>
>  </Subject>
> </Subjects>
> 
> 2. The subject must have _at least one_ role:
> 
>  <Subject>
>   <SubjectMatch MatchId="string-equal">
>    <AttributeValue>account
> manager</AttributeValue>
>    <SubjectAttributeDesignator
> AttributeId="role">
>   </SubjectMatch>
>  </Subject>
>  <Subject>
>   <SubjectMatch MatchId="string-equal">
>    <AttributeValue>customer
> service</AttributeValue>
>    <SubjectAttributeDesignator
> AttributeId="role">
>   </SubjectMatch>
>  </Subject>
> 
> In case 1, there is one <Subject> with two
> <SubjectMatch>es. For a
> <Subject> to match, _all_ <SubjectMatches> have
> to match.
> 
> In case 2, there are two <Subject>s, each having one
> <SubjectMatch>. For
> a <Subjects> to match, only _one_ <Subject>
> needs to match.
> 
> Roland

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]