[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] multiple subjects clarification
All <Subject> elements WITH THE SAME SUBJECT CATEGORY are assumed to be the same entity. I.e. all "access-subject" <Subject>s are the same entity, all "codebase" <Subject>s are the same entity, etc. I don't think this is a very strong requirement, and especially for "intermediary-subject", there could certainly be more than one entity involved. Anne On 5 September, Polar Humenn writes: Re: [xacml] multiple subjects clarification > From: Polar Humenn <polar@syr.edu> > To: Anne Anderson <Anne.Anderson@sun.com> > Subject: Re: [xacml] multiple subjects clarification > Date: Thu, 5 Sep 2002 09:39:06 -0400 (EDT) > > On Thu, 5 Sep 2002, Anne Anderson wrote: > > > On 4 September, Simon Godik writes: [xacml] mulitple subjects clarification > > > Ann, I would like to get clarification for mulitple subjects semantics. > > > > > > 1. There may be more than 1 <subject> of the same category in the request context. > > > true:false > > > > True. All <Subject> elements with the same subject category are > > assumed to be the same entity, but each different <Subject> block > > may be used to encapsulate all attributes issued to that entity > > under one of its various names. > > Is it really the case that *all* subject elements are required to be the > same entity? I thought there were different principals, and in different > "types", such as "codebase", and third party principals, not to mention > intermediaries. > > -Polar > > > > > > > > 2. Sequence of <SubjectMatch>'es under //Target/Subject refers to one and only one <subject> element in the request context. > > > true:false > > > > It depends on whether the sequence of <SubjectMatch>s narrows > > down the //Target/Subject to a single <Subject> element in the > > request context. > > > > Example Context: > > > > <Subject> > > <Attribute > > AttributeId="identifier:subject:subject-id"> > > <AttributeValue > > DataType="identifier:datatype:rfc822name">jhibbert@medico.com</AttributeValue> > > </Attribute> > > <Attribute > > AttributeId="identifier:subject:role"> > > <AttributeValue>physician</AttributeValue> > > </Attribute> > > </Subject> > > <Subject> > > <Attribute > > AttributeId="identifier:subject:subject-id"> > > <AttributeValue > > DataType="identifier:datatype:x500name">cn=Julius > > Hibbert,o=Medico Corp,c=us</AttributeValue> > > </Attribute> > > <Attribute > > AttributeId="identifier:subject:role"> > > <AttributeValue>physician</AttributeValue> > > </Attribute> > > </Subject> > > > > Now the following <Target>: > > > > <Target> > > <Subjects> > > <Subject> > > <SubjectMatch > > MatchId="function:string-match"> > > <SubjectAttributeDesignator > > AttributeId="identifier:subject:role" > > DataType="xs:string"/> > > <AttributeValue > > DataType="xs:string">physician</AttributeValue> > > </SubjectMatch> > > </Subject> > > </Subjects> > > ... > > </Target> > > > > will match both the above context <Subject> elements. > > > > Is this a problem? > > > > > 3. If subject-match is satisfied by some <subject> element in the request context, does it mean that > > > subject-designator in the condition portion of the rule must be satisfied with the same <subject> element? > > > > No. I don't see why it should. And I don't see any problems if > > it does. > > > > Anne > > -- > > Anne H. Anderson Email: Anne.Anderson@Sun.COM > > Sun Microsystems Laboratories > > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > > > > ---------------------------------------------------------------- > > To subscribe or unsubscribe from this elist use the subscription > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC