OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Handle Multiple Users/Subjects


On 2018-01-09 17:14, Arno Appenzeller wrote:
Hi,

I’m researching about Multi User Authorisation and decided to work on a prototype with XACML.

In the Core Spec there is a paragraph about Multiple Subjects. But if I get it right it’s more about multiple Subjects in terms of one Access-Subject which uses a Programm (as another subject) to access resource X.

In my reserach I consider the scenario where Bob and Alice are both on one system and want to access a resource.
I have several ideas how to realise this but I’m not sure if I miss a fundamental point in XACML.

Is it supported that two access-subjects request one resource in a single request?

Best regards,

Arno


I am assuming that you are referring to XACML 3.0 in my answer, the answer might be a bit different for 2.0 (too lazy to think it through).

There is nothing in the standard to prohibit you from putting multiple access-subject attributes in the request, describing both Alice and Bob.

Note that you shouldn't put them in separate <Attributes> elements, since that would trigger the Multiple Decision Profile (if your implementation supports it).

The more tricky question is how to design the policies that handle these requests. You will probably not be able to do that with Target element alone, instead you will need to use Condition elements.

Hope this helps.

/Ludwig


--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]