[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] multiple subjects clarification
On Thu, 5 Sep 2002, Anne Anderson wrote: > On 4 September, Simon Godik writes: [xacml] mulitple subjects clarification > > Ann, I would like to get clarification for mulitple subjects semantics. > > > > 1. There may be more than 1 <subject> of the same category in the request context. > > true:false > > True. All <Subject> elements with the same subject category are > assumed to be the same entity, but each different <Subject> block > may be used to encapsulate all attributes issued to that entity > under one of its various names. Is it really the case that *all* subject elements are required to be the same entity? I thought there were different principals, and in different "types", such as "codebase", and third party principals, not to mention intermediaries. -Polar > > > 2. Sequence of <SubjectMatch>'es under //Target/Subject refers to one and only one <subject> element in the request context. > > true:false > > It depends on whether the sequence of <SubjectMatch>s narrows > down the //Target/Subject to a single <Subject> element in the > request context. > > Example Context: > > <Subject> > <Attribute > AttributeId="identifier:subject:subject-id"> > <AttributeValue > DataType="identifier:datatype:rfc822name">jhibbert@medico.com</AttributeValue> > </Attribute> > <Attribute > AttributeId="identifier:subject:role"> > <AttributeValue>physician</AttributeValue> > </Attribute> > </Subject> > <Subject> > <Attribute > AttributeId="identifier:subject:subject-id"> > <AttributeValue > DataType="identifier:datatype:x500name">cn=Julius > Hibbert,o=Medico Corp,c=us</AttributeValue> > </Attribute> > <Attribute > AttributeId="identifier:subject:role"> > <AttributeValue>physician</AttributeValue> > </Attribute> > </Subject> > > Now the following <Target>: > > <Target> > <Subjects> > <Subject> > <SubjectMatch > MatchId="function:string-match"> > <SubjectAttributeDesignator > AttributeId="identifier:subject:role" > DataType="xs:string"/> > <AttributeValue > DataType="xs:string">physician</AttributeValue> > </SubjectMatch> > </Subject> > </Subjects> > ... > </Target> > > will match both the above context <Subject> elements. > > Is this a problem? > > > 3. If subject-match is satisfied by some <subject> element in the request context, does it mean that > > subject-designator in the condition portion of the rule must be satisfied with the same <subject> element? > > No. I don't see why it should. And I don't see any problems if > it does. > > Anne > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC