[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] subjects (fwd)
I think the answer to your question, is that Multiple Subject matches must match any subject and they are not related to each other. That is one SubjectMatch has nothing to do with the subjects matched in another. The SubjectMatch with a SubjectAttributeDesignator matches on a restricted set of subjects. On Mon, 4 Nov 2002, Anne Anderson wrote: > I need a clarification: > > In a <Target>, we currently allow one or more SubjectMatch > elements, each of which contains a MatchId, a > SubjectAttributeDesignator/AttributeSelector and an > AttributeValue. > > Under your proposal, I think "Example" below is a valid > <Target>, meaning: there must be at least one <Subject> element > in the Request where all of the following are true: > > by first SubjectMatch: > the xxx AttributeId has a value of "ghi" > the yyy AttributeId has a value of "abc" > the zzz AttributeId has a value of "def" > by second SubjectMatch: > the aaa AttributeId has a value of "qrs" > the bbb AttributeId has a value of "jkl" > the ccc Attributeid has a value of "mno" > > What do we gain over having multiple <SubjectMatch> elements, > each with a single AttributeDesignator and value to be matched? > > Example: > > <Target> > <Subjects> > <Subject> > <SubjectMatch MatchId="...:string-equal"> > <SubjectAttributeDesignator AttributeId="xxx" > MustBePresent="false" > <SubjectQualifier AttributeId="yyy" > MustBePresent="true" > MatchId="...:string-equal"> > <AttributeValue DataType="...:string">abc</AttributeValue> > </SubjectQualifier> > <SubjectQualifier AttributeId="zzz" > MustBePresent="true" > MatchId="...:string-equal"> > <AttributeValue DataType="...:string">def</AttributeValue> > </SubjectQualifier> > <AttributeValue DataType="...:string:>ghi</AttributeValue> > </SubjectMatch> > <SubjectMatch MatchId="...:string-equal"> > <SubjectAttributeDesignator AttributeId="aaa" > MustBePresent="false" > <SubjectQualifier AttributeId="bbb" > MustBePresent="true" > MatchId="...:string-equal"> > <AttributeValue DataType="...:string">jkl</AttributeValue> > </SubjectQualifier> > <SubjectQualifier AttributeId="ccc" > MustBePresent="true" > MatchId="...:string-equal"> > <AttributeValue DataType="...:string">mno</AttributeValue> > </SubjectQualifier> > <AttributeValue DataType="...:string:>qrs</AttributeValue> > </SubjectMatch> > </Subject> > </Subjects> > > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC