OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] Fwd: Updated Attribute Designator examples


See attached message.

Anne Anderson       Anne.Anderson@Sun.COM
Internet Security Research Group, Sun Labs
Sun Microsystems, Inc., Burlington, MA
--- Begin Message ---
Cases:
1. Selecting one attribute value from a subject based on the subject
   having another attribute with a specified value.
2. CASE: Same as above, but Request has two Subjects that
   match the query.
3. Target matches a subject with either one attribute and value or a
   different attribute and value.
4. Target matches a subject having both of two specified attributes
   and values.

1. CASE: Return Attribute of a subject that has another attribute with
   a specified value.

Select AttributeID=B for an AccessSubject that has AttributeID=A with value C.

Request example:
<Subject Category="AccessSubject">
    <Attribute AttributeID="B">
        <AttributeValue>D</AttributeValue>
    </Attribute>       
    <Attribute AttributeID="A">
        <AttributeValue>C</AttributeValue>
    </Attribute>
</Subject>

<SubjectAttributeDesignator AttributeId="B"
                            Category="AccessSubject">
    <SubjectMatch MatchId="string-equals">
        <SubjectAttributeDesignator AttributeID="A">
        <AttributeValue DataType="xs:string">C</AttributeValue>
    </SubjectMatch>
</SubjectAttributeDesignator>

2. CASE: Same as above, but Request has two Subjects that
   match the query.

   Select AttributeID=B for AccessSubject that has AttributeID=A with value C

Request Context:

<Subject>
    <Attribute AttributeId="SubjectCategory">
        <AttributeValue DataType="xs:String">
                AccessSubject
        </AttributeValue>
    </Attribute>
    <Attribute AttributeId="SubjectIdentifier">
        <AttributeValue DataType="xacml:x500name">
                 Anne.Anderson@Sun.COM
        </AttributeValue>
    </Attribute>
    <Attribute AttributeID="B">
        <AttributeValue>
                D
        </AttributeValue>
    </Attribute>       
    <Attribute AttributeID="A">
        <AttributeValue>
                C
        </AttributeValue>
    </Attribute>
</Subject>
<Subject>
    <Attribute AttributeId="SubjectCategory">
        <AttributeValue DataType="xs:String">
                AccessSubject
        </AttributeValue>
    </Attribute>
    <Attribute AttributeId="SubjectIdentifier">
        <AttributeValue>
                Anne
        </AttributeValue>
    </Attribute>
    <Attribute AttributeID="B">
        <AttributeValue>
                E
        </AttributeValue>
    </Attribute>       
    <Attribute AttributeID="A">
        <AttributeValue>
                C
        </AttributeValue>
    </Attribute>
</Subject>

<SubjectAttributeDesignator AttributeId="B">
    <SubjectMatch MatchId="string-equals">
        <SubjectAttributeDesignator AttributeId="SubjectCategory">
            <SubjectMatch MatchId="string-equals">
                <SubjectAttributeDesignator AttributeID="A">
                    <AttributeValue DataType="xs:string">
                            C
                    </AttributeValue>
                </SubjectAttributeDesignator>
           </SubjectMatch>
           <AtttributeValue DataType="xs:string">
                   AccessSubject
           </AttributeValue>
       </SubjectAttributeDesignator>
    </SubjectMatch>
</SubjectAttributeDesignator>

This returns sequence of two Attributes with AttributeId="B", one with
value D and one with value E since there are two separate <Subject>s
in the context that match this specification.

3. CASE: Target matches a subject with either one attribute and value or a
   different attribute and value.

   Want to have Target that matches either Context <Subjects> that have
   AttributeID=B with value C OR Context <Subjects> that have
   AttributeId="D" with value "E".

<Target>
    <Subjects>
        <Subject>
            <SubjectMatch MatchId="string-equals">
                <SubjectAttributeDesignator AttributeID="B">
                <AttributeValue DataType="xs:string">
                        C
                </AttributeValue>
            </SubjectMatch>
        </Subject>
        <Subject>
            <SubjectMatch MatchId="string-equals">
                <SubjectAttributeDesignator AttributeID="D">
                <AttributeValue DataType="xs:string">
                        E
                </AttributeValue>
            </SubjectMatch>
        </Subject>
    </Subjects>
</Target>

4. CASE: Target matches Requests containing a subject having both of
   two specified attributes and values.

<Target>
    <Subjects>
        <Subject>
            <SubjectMatch MatchId="string-equals">
                <SubjectAttributeDesignator AttributeId="SubjectId">
                    <SubjectMatch MatchId="string-equals">
                        <SubjectAttributeDesignator AttributeId="Format"/>
                        <AttributeValue DataType="xs:string">
                             X500Name
                        </AttributeValue>
                    </SubjectMatch>
                </SubjectAttributeDesignator>
                <AttributeValue DataType="xs:string">
                        C
                </AttributeValue>
            </SubjectMatch>
        </Subject>
    </Subjects>
    <anyResource/>
    <anyAction/>
</Target>

5. CASE: Target matches Requests containing one subject having both of
   two specified attributes AND another subject having one specified
   attribute.

<Target>
    <Subjects>
        <Subject>
            <SubjectMatch MatchId="string-equals">
                <SubjectAttributeDesignator AttributeID="SubjectId">
                    <SubjectMatch MatchId="string-equals">
                        <SubjectAttributeDesignator
                                       AttributeId="Format"/>
                        <AttributeValue DataType="xs:string">
                             X500Name
                        </AttributeValue>
                    </SubjectMatch>
                </SubjectAttributeDesignator>
                <AttributeValue DataType="xs:string">
                        C
                </AttributeValue>
            </SubjectMatch>
            <SubjectMatch MatchId="string-equals">
                <SubjectAttributeDesignator AttributeID="SubjectId">
                <AttributeValue DataType="xs:string">
                        C
                </AttributeValue>
            </SubjectMatch>                
        </Subject>
    </Subjects>
    <anyResource/>
    <anyAction/>
</Target>

--- End Message ---


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC