Re: Fwd: [xacml-users] Single request to query multiple resourceswith multiple actions on each resource

[Erik Rissanen <erik@axiomatics.com>]

Hi,

You will get the cartesian product of the <Attributes> elements. It is 
unclear to me from you example what of it are <Attributes> elements and 
what are <Attribute> elements.

The IncludeInResult attribute does not affect how many results you get, 
only which attributes are played back in the result.

Best regards,
Erik



Andy Bailey wrote:
> Hi,
>
> I was rereading the emails about this thread and noticed a detail that
> had escaped me before. See Inline:
>
> On Thu, 2009-09-24 at 10:19 +0200, Erik Rissanen wrote:
>   
>> Hi Yoichi,
>>
>> The intent of the 3.0 multiple profile has been that by specifying 
>> multiple <Attributes> elements, all combinations of subject, resource, 
>> action or another categories can be used, 
>>     
>
> Does that mean if there are two subjects in the request, for example:
>
> User: admin
> Role: Administrators
>
> resource1 IncludeInResult="true"
> resource2 IncludeInResult="true"
>
> action1 IncludeInResult="true"
> action2 IncludeInResult="true"
>
> Then you will get results for:
>  
> User admin resource1 action1
> Role administrators resource1 action1
>
> + cartesian product of the others.
>
>
>
> Or will that only happen if you include
> User: admin IncludeInResult="true"
> Role: Administrators IncludeInResult="true"
>
>
> Thanks,
>
> Andy Bailey
>
>
>   
>> so what Ludwig describes is 
>> how it should work. See section 2.2.3 in the CD-1 version of the 3.0 
>> Multiple resource profile:
>>
>> --8<--
>> Each <Attributes> element SHALL represent one Individual Resource, 
>> subject, or another category unless that element utilizes the other 
>> mechanisms described in this Profile.
>> For each combination of repeated <Attributes> elements, one Individual 
>> Resource Request SHALL be created.
>> --8<--
>>
>> Best regards,
>> Erik
>>
>>     
>
>
>