OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Single request to query multiple resources with multiple actions on each resource


Hi Erik,

Thanks for the clarification. I read the section just below (2.4) and missed the 2.3, which indeed allows automatic combination of <Attributes> elements if multiple of them were specified. Only that the XACML 3.0 Core seems to indicate that one had to use the <MultiRequest> as 2.4. That was wrong and please accept my apology

I thought that intent could be just that, after the XACML 3.0 Request context was changed to allow it to contain multiple Attributes element for any category (Subject, Action, Resource, Environment and some other) if the Multiple Profile was implemented by the system.

That was why I said syntax of both XAMCL 3.0 Request and the Multiple Resources allows us to construct multiple Subjects and Actions. However, I saw the <MultiRequest> in the XACML 3.0 Core <Request>, and thought that I had to use it if multiple <Attributes>s are specified, and just looked it up in the Multiple Resources.

Maybe the Multiple Resources document was composed when it was for XACML 2.0 and that could be why it still inherits sentences which implies only the Resources are multiple? Maybe it should change the name to Multiple Request Elements Profile?

The clause you refer seems to assume that only Resources are repeated. It does not seem to allow Subjects or Actions to be also multiple. Is this an editing problem from the days when this Profile was used only for Multiple Resource elements?

For example, Subjects or Actions could be repeated with no Resource at all. What do you call the Requests? Subject Request or Action Request? 

Thanks,
Yoichi

On 24/09/2009, at 1:19 AM, Erik Rissanen wrote:

Hi Yoichi,

The intent of the 3.0 multiple profile has been that by specifying multiple <Attributes> elements, all combinations of subject, resource, action or another categories can be used, so what Ludwig describes is how it should work. See section 2.2.3 in the CD-1 version of the 3.0 Multiple resource profile:

--8<--
Each <Attributes> element SHALL represent one Individual Resource, subject, or another category unless that element utilizes the other mechanisms described in this Profile.
For each combination of repeated <Attributes> elements, one I
ndividual Resource Request SHALL be created.
--8<--

Best regards,
Erik



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]