OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] multiple subjects clarification

On 4 September, Simon Godik writes: [xacml] mulitple subjects clarification
 > Ann, I would like to get clarification for mulitple subjects semantics.
 > 
 > 1. There may be more than 1 <subject> of the same category in the request context.
 > true:false

True.  All <Subject> elements with the same subject category are
assumed to be the same entity, but each different <Subject> block
may be used to encapsulate all attributes issued to that entity
under one of its various names.

 > 2. Sequence of <SubjectMatch>'es under //Target/Subject refers to one and only one <subject> element in the request context.
 > true:false

It depends on whether the sequence of <SubjectMatch>s narrows
down the //Target/Subject to a single <Subject> element in the
request context.

Example Context:

  <Subject>
      <Attribute
            AttributeId="identifier:subject:subject-id">
          <AttributeValue
                DataType="identifier:datatype:rfc822name">jhibbert@medico.com</AttributeValue>
      </Attribute>
      <Attribute
            AttributeId="identifier:subject:role">
          <AttributeValue>physician</AttributeValue>
      </Attribute>
  </Subject>
  <Subject>
      <Attribute
            AttributeId="identifier:subject:subject-id">
          <AttributeValue
                DataType="identifier:datatype:x500name">cn=Julius
                   Hibbert,o=Medico Corp,c=us</AttributeValue>
      </Attribute>
      <Attribute
            AttributeId="identifier:subject:role">
          <AttributeValue>physician</AttributeValue>
      </Attribute>
  </Subject>

Now the following <Target>:

  <Target>
      <Subjects>
          <Subject>
              <SubjectMatch
                    MatchId="function:string-match">
                  <SubjectAttributeDesignator
                        AttributeId="identifier:subject:role"
                        DataType="xs:string"/>
                  <AttributeValue
                        DataType="xs:string">physician</AttributeValue>
              </SubjectMatch>
          </Subject>
      </Subjects>
      ...
  </Target>

will match both the above context <Subject> elements.

Is this a problem?

 > 3. If subject-match is satisfied by some <subject> element in the request context, does it mean that
 > subject-designator in the condition portion of the rule must be satisfied with the same <subject> element?

No.  I don't see why it should.  And I don't see any problems if
it does.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC