OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: How to build a PDP request of a subject with multiple roles

Hi,

I am using XACML to conduct role based access control (RBAC profile of XACML v2). I have a subject who has more than one roles such as Account Manager role and Customer Rep role. I try to submit a PDP request to ask if the subject can do account update. The resource is account; the action is update. Actually, the Account Manager role is allowed to do the account update; but Customer Rep role is not. How could I build the PDP request in XACML for a subject with more than one role.

Is the following right?
<Request>
<Subject>
<Attribute AttributeId=”&subject;role-id”
DataType=”&xml;anyURI”>
<AttributeValue>Account Manager</AttributeValue>
</Attribute>
<Attribute AttributeId=”&subject;role-id”
DataType=”&xml;anyURI”>
<AttributeValue>Customer Rep</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId=”&resource;resource-id;”
DataType=”&xml;anyURI”>
<AttributeValue>account</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId=”&action;action-id”
DataType="&xml;anyURI">update</AttributeValue>
</Attribute>
</Action>
</Request>

Or I should use 2 subjects?

thanks
hao

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]