OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: Fwd: Fwd: [xacml] Multiple subjects in XACML


We debated how complex to make the multiple subjects feature, and 
decided that supporting multiple categories was complex enough, and not 
to try to support multiple distinct instances of a single category.  If 
someone really wants to distinguish instances, the work-around is to 
create a distinct category for each instance: intermediate-subject-1, 
intermediate-subject-2, etc.

This should work in the generalization to attribute groupings with 
arbitrary identifiers.

Regards,
Anne

Erik Rissanen wrote On 02/19/07 11:48,:
> Argyn wrote:
>>>>---------- Forwarded message ----------
>>>>From: Argyn <jawabean@gmail.com>
>>>>Date: Feb 19, 2007 10:44 AM
>>>>Subject: Re: [xacml] Multiple subjects in XACML
>>>>To: Erik Rissanen <mirty@sics.se>
>>>>
>>>>
>>>>On 2/19/07, Erik Rissanen <mirty@sics.se> wrote:
>>>>
>>>>>Hal raised the concern that this is a bug in 2.0, since there
>>>
>>>could for
>>>
>>>>>instance be multiple intermediate subjects, and this was a use case
>>>>>which 2.0 should handle.
>>>>>
>>>>>I wasn't a member of the TC when 2.0 was designed, so I don't know
>>>
>>>if it
>>>
>>>>>is a bug or a feature, but if it is a bug, it's a major one. If the
>>>>>multiple subjects are really considered to be distinct subjects,
>>>
>>>there
>>>
>>>>>are still no mechanisms by which policies can refer to them in a
>>>>>meaningful manner. If an attribute designator is used to fetch
>>>>>attributes from the request, it would mix up the attributes from
>>>>>different distinct subjects. This is the same problem which we had
>>>
>>>with
>>>
>>>>>multiple distinct IndirectDelegates, which is the reason I introduced
>>>>>the MultipleCondition, which could be used to constrain distinct
>>>>>indirect delegates.
>>>>
>>>>we discussed it with Seth once. it looked strange to me when I first
>>>>read it. as far as I know XACML implementations support this feature
>>>>as it is written.
>>>>
>>>>argyn
>>>
>>>When you mean "support this feature as it is written", do you mean that
>>>multiple subjects with the same subject category are not treated as
>>>distinct subjects by implementations?
>>>
>>>Sorry, but I am just a bit confused by the "support" and "written",
>>>since my interpretation of the writing is that distinct subjects with
>>>equal categories are not supported. ;-)
>>
>>
>>my fault, I wasnt clear enough.
>>
>>If they have the same category, they are treated as the same thing. so
>>i simply unite the set of attributes of different subjects, if they
>>have the same category. i really don't understand why is it like that
>>in the spec, honestly, but that's what i implented. as far as i know,
>>others do the same. i may even have a conformance test for this
>>feature, not sure though
>>
>>argyn
> 
> 
> Ok, so it seems to be like I thought. If this is also how it was
> intended in 2.0, then it would not clash with a generalization of the
> multiple resources profile.
> 
> Regards,
> Erik
> 
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]