[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Fwd: [xacml-users] Single request to query multiple resourceswith multiple actions on each resource
Andy, Sorry, but I am still confused as to your cases A1, A2,, etc. So let me make my own example: <Attributes Category="access-subject"> <Attribute>subject-id=alice</Attribute> </Attributes> <Attributes Category="access-subject"> <Attribute>role=employee</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer1</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer2</Attribute> </Attributes> The PDP will group all <Attributes> elements with identical categories, and then form the cartesian product of these groups. This will result in the following individual requests: <Attributes Category="access-subject"> <Attribute>subject-id=alice</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer1</Attribute> </Attributes> <Attributes Category="access-subject"> <Attribute>role=employee</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer1</Attribute> </Attributes> <Attributes Category="access-subject"> <Attribute>subject-id=alice</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer2</Attribute> </Attributes> <Attributes Category="access-subject"> <Attribute>role=employee</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer2</Attribute> </Attributes> You get a single <Result> for each of these for requests in your response. The IncludeInResult attribute has no impact on any of this. It just says which attributes are part of the results. On the other hand, if you original request is like this: <Attributes Category="access-subject"> <Attribute>subject-id=alice</Attribute> <Attribute>role=employee</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer1</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer2</Attribute> </Attributes> then you get only these two requests: <Attributes Category="access-subject"> <Attribute>subject-id=alice</Attribute> <Attribute>role=employee</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer2</Attribute> </Attributes> <Attributes Category="access-subject"> <Attribute>subject-id=alice</Attribute> <Attribute>role=employee</Attribute> </Attributes> <Attributes Category="resource"> <Attribute>resource-id=Printer2</Attribute> </Attributes> Best regards, Erik Andy Bailey wrote: > Erik, > > Sorry if the question was unclear, Ill try to ask it again in a > different way. > > The question refers to the xacml 3.0 Request.xml which you sent to the > list, I am attaching it to this post in case anyone didnt receive it > before. > > What would the difference in the result be if instead of the single > Attributes with access-subject Alice there were: > > A1) 2 Attributes with Category access-subject each with 1 subject > attribute IncludeInResult="true" > > B1) 1 Attribute with Category access-subject with 2 subject attributes > IncludeInResult="true" > > A2) 2 Attributes with Category access-subject each with 1 subject > attribute IncludeInResult="false" > > B2) 1 Attribute with Category access-subject with 2 subject attributes > IncludeInResult="false" > > > In the example you sent the following would be replaced: > > <Attributes > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> > <Attribute > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > IncludeInResult="false"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>Alice</AttributeValue> > </Attribute> > </Attributes> > > with A1) > > <Attributes > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> > <Attribute > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > IncludeInResult="true"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> > </Attribute> > </Attributes> > <Attributes > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> > <Attribute > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > IncludeInResult="true"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>Administrators</AttributeValue> > </Attribute> > </Attributes> > > with B1) > > <Attributes > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> > <Attribute > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > IncludeInResult="true"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>admin</AttributeValue> > </Attribute> > <Attribute > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > IncludeInResult="true"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>Administrators</AttributeValue> > </Attribute> > > </Attributes> > > And then the same for A2 B2 but with IncludeInResult="false" > > > Thanks, > > Andy > > > > On Fri, 2009-10-09 at 11:42 +0200, Erik Rissanen wrote: > >> Hi, >> >> You will get the cartesian product of the <Attributes> elements. It is >> unclear to me from you example what of it are <Attributes> elements and >> what are <Attribute> elements. >> >> The IncludeInResult attribute does not affect how many results you get, >> only which attributes are played back in the result. >> >> Best regards, >> Erik >> >> >> > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]