OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] subject attribute designator

Michiharu, currently subject-attribute-designator includes optional sequence of <SubjectMatch> as sub-element.
(There is a typo in a schema in that it allows just one subject match, should be 0...unbounded).
This maps to 'where' semantics: select attribute value for the subject-attribute attrA from request context such that
the value of another attribute attrB for the same subject is valueB.
 
<SubjectAttributeDesignator AttriId="attrA"> <-- select this attribute
    <SubjectMatch> <-- where
        <SubjectAttributeDesignator AttrId="B"/>
        <AttributeValue>valueB</AttributeValue>
    </SubjectMatch>
</SubjectAttributeDesignator>
 
<SubjectAttributeDesignator> includes <SubjectMatch> and <SubjectMatch> includes <SubjectAttributeDesignator>.
It seems to me that this recursion is an issue here. Ann is using this recursion in her example (2).
 
Here is Ann's example (2) without recursion:
Select one attribute value from a subject based on a subject having another attribute with a specified value.
Request has 2 subjects that match this query.
 
Request context:
<Subject>
    <Attribute AttributeId="SubjectCategory">
        <AttributeValue>access-subject</AttributeValue>
    </Attribute>
    <Attribute AttributeId="subject-identifier">
        <AttributeValue>alice</AttributeValue>
    </Attribute>
    <Attribute AttributeId="attrA">
        <AttributeValue>a1</AttributeValue> <-- same as another subject
    </Attribute>
    <Attribute AttributeId="attrB">
        <AttributeValue>b1</AttributeValue>
    </Attribute>
</Subject>
<Subject>
    <Attribute AttributeId="SubjectCategory">
        <AttributeValue>access-subject</AttributeValue>
    </Attribute>
    <Attribute AttributeId="subject-identifier">
        <AttributeValue>alice@acme.com</AttributeValue>
    </Attribute>
    <Attribute AttributeId="attrA">
        <AttributeValue>a1</AttributeValue> <-- same as another subject
    </Attribute>
    <Attribute AttributeId="attrB">
        <AttributeValue>b2</AttributeValue>
    </Attribute>
</Subject>
 
Attribute selection: select attribute attrB of the access-subject with attribute attrA equal to a1.
 
<SubjectAttributeDesignator AttributeId="attrB">
    <SubjectMatch MatchId="string-equal">
        <SubjectAttributeDesignator AttributeId="subject-category"/>
        <AttributeValue>access-subject</AttributeValue>
    </SubjectMatch>
    <SubjectMatch MatchId="string-equal">
        <SubjectAttributeDesignator AttributeId="attrA"/>
        <AttributeValue>a1</AttributeValue>
    </SubjectMatch>
</SubjectAttributeDesignator>
 
This designator will match both subjects.
 
Does it make sense? Should we remove recursion in subject-attribute-designator, so that
subject-match does not refer to subject-attribute-designator again?
 
Simon
 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC