Re: [xacml-users] does XACML v2 allow multiple values' attribute

[Yoichi Takayama <yoichi@melcoe.mq.edu.au>]

The example I can find is:

<Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:any-of”> 

4576 

 <Function FunctionId=”urn:oasis:names:tc:xacml:1.0:function:string-equal”/> 

4577 

 <AttributeValue 

4578 

DataType=”http://www.w3.org/2001/XMLSchema#string”>Paul</AttributeValue> 

4579 

 <Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:string-bag”> 

4580 

  <AttributeValue 

4581 

DataType=”http://www.w3.org/2001/XMLSchema#string”>John</AttributeValue> 

4582 

  <AttributeValue 

4583 

DataType=”http://www.w3.org/2001/XMLSchema#string”>Paul</AttributeValue> 

4584 

  <AttributeValue 

4585 

DataType=”http://www.w3.org/2001/XMLSchema#string”>George</AttributeValue> 

4586 

  <AttributeValue 

4587 

DataType=”http://www.w3.org/2001/XMLSchema#string”>Ringo</AttributeValue> 

4588 

 </Apply>

4589 

</Apply> 

4590 

As compared with yours (below), it seems you have to put the two values in a function called "string-bag" as above. So, I think that it may not be a SunXACML engine error.

Also, XACML 2.0 RBAC recommends to use &roles;account-manager and &roles;department-manager, etc. than what you have there.

<Request>

  <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">

    <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI">

    <AttributeValue>account:manager:role</AttributeValue>

    <AttributeValue>card:member:department:manager:role</AttributeValue>

    </Attribute>

  </Subject>

  <Resource>

    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">

    <AttributeValue>AccountInformation</AttributeValue>

    </Attribute>

  </Resource>

  <Action>

    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">

    <AttributeValue>access</AttributeValue>

    </Attribute>

  </Action>

</Request>

--------------------------------------------------------------------------

Yoichi Takayama, PhD

Senior Research Fellow

RAMP Project

MELCOE (Macquarie E-Learning Centre of Excellence)

MACQUARIE UNIVERSITY

Phone: +61 (0)2 9850 9073

Fax: +61 (0)2 9850 6527

www.mq.edu.au

www.melcoe.mq.edu.au/projects/RAMP/

--------------------------------------------------------------------------

MACQUARIE UNIVERSITY: CRICOS Provider No 00002J

This message is intended for the addressee named and may contain confidential information.  If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of Macquarie E-Learning Centre Of Excellence (MELCOE) or Macquarie University.

On 09/01/2009, at 1:37 PM, hao chen wrote:

Sorry, I sent you a wrong version of request. The attached should be the multi values attr.

Best Regard
hao

smime.p7s