OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] subjects (fwd)



I think the answer to your question, is that Multiple Subject matches must
match any subject and they are not related to each other. That is one
SubjectMatch has nothing to do with the subjects matched in another.

The SubjectMatch with a SubjectAttributeDesignator matches on a restricted
set of subjects.

On Mon, 4 Nov 2002, Anne Anderson wrote:

> I need a clarification:
>
>   In a <Target>, we currently allow one or more SubjectMatch
>   elements, each of which contains a MatchId, a
>   SubjectAttributeDesignator/AttributeSelector and an
>   AttributeValue.
>
>   Under your proposal, I think "Example" below is a valid
>   <Target>, meaning: there must be at least one <Subject> element
>   in the Request where all of the following are true:
>
>     by first SubjectMatch:
>      the xxx AttributeId has a value of "ghi"
>      the yyy AttributeId has a value of "abc"
>      the zzz AttributeId has a value of "def"
>     by second SubjectMatch:
>      the aaa AttributeId has a value of "qrs"
>      the bbb AttributeId has a value of "jkl"
>      the ccc Attributeid has a value of "mno"
>
>   What do we gain over having multiple <SubjectMatch> elements,
>   each with a single AttributeDesignator and value to be matched?
>
>   Example:
>
>   <Target>
>     <Subjects>
>       <Subject>
>         <SubjectMatch MatchId="...:string-equal">
>           <SubjectAttributeDesignator AttributeId="xxx"
>                                       MustBePresent="false"
>             <SubjectQualifier AttributeId="yyy"
>                               MustBePresent="true"
>                               MatchId="...:string-equal">
>               <AttributeValue DataType="...:string">abc</AttributeValue>
>             </SubjectQualifier>
>             <SubjectQualifier AttributeId="zzz"
>                               MustBePresent="true"
>                               MatchId="...:string-equal">
>               <AttributeValue DataType="...:string">def</AttributeValue>
>             </SubjectQualifier>
>           <AttributeValue DataType="...:string:>ghi</AttributeValue>
>         </SubjectMatch>
>         <SubjectMatch MatchId="...:string-equal">
>           <SubjectAttributeDesignator AttributeId="aaa"
>                                       MustBePresent="false"
>             <SubjectQualifier AttributeId="bbb"
>                               MustBePresent="true"
>                               MatchId="...:string-equal">
>               <AttributeValue DataType="...:string">jkl</AttributeValue>
>             </SubjectQualifier>
>             <SubjectQualifier AttributeId="ccc"
>                               MustBePresent="true"
>                               MatchId="...:string-equal">
>               <AttributeValue DataType="...:string">mno</AttributeValue>
>             </SubjectQualifier>
>           <AttributeValue DataType="...:string:>qrs</AttributeValue>
>         </SubjectMatch>
>       </Subject>
>     </Subjects>
>
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC