[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] A problem with the Target
Side note: we really should name those new elements to be <MatchAnd> and <MatchOr>. We are cryptic as-is. Also - in your example, I am not sure of the intended semantics: OR(AND(Match1, Match2)) - what is the outer OR is for? Should not we OR the subject matches there? Could we just introduce <MatchOr> element, have all top level matches to be implicitly conjunctive, and allow mixing of attribute categories inside the disjunctive <MatchOr>? So your example would be <Target> <MatchOr> <Match ..category access-subject </...> <Match .. category intermediate-subject </..> </MatchOr> <Match .. category resource> <Match .. category action> </Target> There is no need for a conjunctive match element here, and no need for an arbitrary depth Boolean logic - such a target can be efficiently flattened, and it is equivalent to a 2.0 target. Daniel. -----Original Message----- From: Erik Rissanen [mailto:mirty@sics.se] Sent: Tuesday, February 20, 2007 5:15 AM To: xacml@lists.oasis-open.org Subject: [xacml] A problem with the Target All, We had a discussion earlier about the generalization of the Target. We decided that we will not allow mixing of different attribute categories within the same ConjunctiveMatch since this makes indexing more difficult. This is a no-no: <Target> <DisjunctiveMatch> <ConjunctiveMatch> <Match MatchId="string-equal"> <AttributeValue DataType="string">Alice</AttributeValue> <AttributeDesignator Category="access-subject" AttributeId="subject-id" DataType="string"/> </Match> <Match MatchId="string-equal"> <AttributeValue DataType="string">proxy1</AttributeValue> <AttributeDesignator Category="intermediate-subject" AttributeId="subject-id" DataType="string"/> </Match> </ConjunctiveMatch> </DisjunctiveMatch> </Target> However, this was possible with subject categories in 2.0. So we are no longer backwards compatible with 2.0. I have no idea how to fix this, besides to allow mixing of categories in a ConjunctiveMatch. Regards, Erik _______________________________________________________________________ Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]