OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] subject attribute designator

Polar,
Currently <SubjectMatch> element allows to match 1 attribute designator to 1
attribute value.
A sequence of subject-matches is interperted as 'and' between individual
matches.
In the target we have another element <Subject> that wraps a sequence of
subject-matches.
A sequence of <Subject> elements in the target is intepreted as 'or'.

So recursive example you give is semantically the same as my example.

I'm beginning to think that this piece is a little bit overengineered.

What if we define a <MatchType> that matches 1 attribute designator to 1
attribute value.
(I think we had this before f2f)
Elements of <MatchType> are always enclosed in <Subject>, <Resource>, or
<Action> elements. So
matches within <Subject> are subject attribute matches, matches within
resource are resoure
attribute matches, etc.

In the target we drop <Subjects> element and leave a sequence of <Subject>
elements that in turn
contain a sequence of matches. (Same for <Resources> and <Actions>)

Sequence of <Subject> elements in the target is interpreted as 'or'.
Sequence of subject mathes within
individual <Subject> element is interpreted as 'and'. (Same for <Resource>
seq and <Action> seq).

SubjectAttributeDesignator will contain optional sequence of subject matches
interperted as 'and' bettween
individual matches.

Example:
<Target> <-- note <Subjects> element gone.
    <Subject>
        <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
            <AttributeDesignator AttributeId="attrA"/>
            <AttributeValue>a1</AttributeValue>
        </SubjectMatch>
        <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
            <AttributeDesignator AttributeId="AttrB"/>
            <AttributeValue>b1</AttributeValue>
        </SubjectMatch>
        <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
            <AttributeDesignator AttributeId="AttrC"/>
            <AttributeValue>c1</AttributeValue>
        </SubjectMatch>
    </Subject>
    <Subject> <-- another subject, 'or' between <Subject> elements.
    </Subject>
    ....
</Target>

<SubjectAttributeDesignator AttributeId="AttrA">
    <SubjectMatch MatchId="string-equal"> <-- 'and' between individual
subject-matches.
        <AttributeDesignator AttributeId="AttrB"/>
        <AttributeValue>b1</AttributeValue>
    </SubjectMatch>
    <SubjectMatch MatchId="string-equal">
        <AttributeDesignator AttributeId="AttrC"/>
        <AttributeValue>c1</AttributeValue>
    </SubjectMatch>
</SubjectAttributeDesignator>

Simon

----- Original Message -----
From: "Polar Humenn" <polar@syr.edu>
To: "Simon Godik" <simon@godik.com>
Cc: <xacml@lists.oasis-open.org>
Sent: Thursday, August 08, 2002 11:22 AM
Subject: Re: [xacml] subject attribute designator


> On Thu, 8 Aug 2002, Simon Godik wrote:
>
> > <SubjectAttributeDesignator AttributeId="attrB">
> >     <SubjectMatch MatchId="string-equal">
> >         <SubjectAttributeDesignator AttributeId="subject-category"/>
> >         <AttributeValue>access-subject</AttributeValue>
> >     </SubjectMatch>
> >     <SubjectMatch MatchId="string-equal">
> >         <SubjectAttributeDesignator AttributeId="attrA"/>
> >         <AttributeValue>a1</AttributeValue>
> >     </SubjectMatch>
> > </SubjectAttributeDesignator>
> >
> > This designator will match both subjects.
> >
> > Does it make sense? Should we remove recursion in
subject-attribute-designator, so that
> > subject-match does not refer to subject-attribute-designator again?
>
> Aren't the <SubjectMatches> supposed to be OR'ed, and the recursive
> "where"  semantics are "AND"?
>
> The above says to me give me the value of the attrB attribute from the
> subject that matches an (string-equal subject-category of access-subject)
> OR (string-equal attrA of a1).
>
> Whereas:
>
> <SubjectAttributeDesignator AttributeId="attrB">
>     <SubjectMatch MatchId="string-equal">
>         <SubjectAttributeDesignator AttributeId="subject-category">
>             <SubjectMatch MatchId="string-equal">
>                 <SubjectAttributeDesignator AttributeId="attrA"/>
>                 <AttributeValue>a1</AttributeValue>
>             </SubjectMatch>
>         </SubjectAttributeDesignator>
>          <AttributeValue>access-subject</AttributeValue>
>     </SubjectMatch>
> </SubjectAttributeDesignator>
>
> means give me the value of the attrB attribute from THE subject that
> matches an (string-equal subject-category of access-subject)  AND
> (string-equal attrA of a1).
>
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC