Re: [xacml] subjects

[Simon Godik <simon@godik.com>]

> I think a better more workable solution would be to make the subjects
> (i.e. lists of attributes) unique to the category, and use the present
> SubjectAttributeDesignator (with the SubjectCategory part)  and get rid of
> the SubjectAttributeDesignatorWhere. That's simple and I think everybody
> can get their brains wrapped around that.

+1
I would support an option of unique subject category, keeping current
subj-attr-desig
and getting rid of subj-attr-desig-where, delaying it to 1.1 or 2.0

Simon

----- Original Message -----
From: "Polar Humenn" <polar@syr.edu>
To: "Simon Godik" <simon@godik.com>
Cc: <xacml@lists.oasis-open.org>
Sent: Monday, November 04, 2002 5:28 PM
Subject: Re: [xacml] subjects


> On Mon, 4 Nov 2002, Simon Godik wrote:
>
> > We have an open issue with subject designators that we want to solve
asap.
> > There is a proposal from Polar, but I think it is too complicated for
quick adoption.
> >
> > My proposal:
> > a) Quick solution to vote on thrs: Keep current
subject-attribute-designator element
> > with subject-category attribute and use it in the target and apply
elements. Drop
> > subject-attr-desig-where. I think it will cover 95% of all cases.
>
> I wouldn't mind this, except for having multiple subjects for a category!
> It just balls everything up. I cannot tell which subject my attributes are
> comming from. That really bothers me.
>
> I think we have screwed this whole thing up with multiple subjects
> requirement and not understanding the ramifications of the queries on
> them.
>
> In my latest proposal, I've added complex attributes to the elements to
> pop up indeterminates in the case where you get multiple subjects matched.
> I don't really like that solution. But I made the analogous IsPresent
> operator use another attribute so that it returns false if the Qualifiers
> select more than one subject. This also complicates the SubjectMatch in
> that it has to throw an indeterminate when the designator qualifies
> multiple subjects. Yuck! I hate it.
>
> > b) Work out alternative proposal and delay voting until it is resolved
>
> I think a better more workable solution would be to make the subjects
> (i.e. lists of attributes) unique to the category, and use the present
> SubjectAttributeDesignator (with the SubjectCategory part)  and get rid of
> the SubjectAttributeDesignatorWhere. That's simple and I think everybody
> can get their brains wrapped around that.
>
> I think this approach will solve 95% of the simple cases as well. And
> let's wait to 1.1 or 2.0 to get multiple subjects down. It's already bad
> enough with multiple subject categories. Geeezzz!
>
> Cheers,
> -Polar
>
> > Simon
> >
> >
>
>
>
>