[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml-comment] Target merging and matching
|
Hi,
I am trying to understand how the Target is
computed and how the computed Target is then matched. It is difficult to
understand the intentions of the spec when combining targets. Is it that
the rules must have similar Targets if an overall Target is to be
computed.
The issue can be summed up in the following
example.
I have a rule set of two rules. One applies
to a subject with the role Nurse, the other applies to a subject with the
role Doctor. So I have:
RuleSet
Rule (Rule1)
Target
Subjects
role=nurse
Rule (Rule2)
Target
Subjects
role=doctor
If this is legal then there would be an overall
target of:
Target
Subjects
role=nurse
Subjects
role=doctorThe question now is how do I match this
target. There as been some discussion around the fact that multiple
Subjects should be ANDed, this clearly does not work here. One possibility
is to OR when referring to the same attribute. That would work here but
not if Rule2 had a second Subject. e.g.
Rule (Rule2)
Target
Subjects
role=doctor
Subjects
otherAttr=otherValueIf this is legal then there would be
an overall target of:
Target
Subjects
role=nurse
Subjects
role=doctor
Subjects otherAttr=otherValueThis obviously is impossible to match
against. Is this a problem of having rules with differing targets, if it
is then I can live with that. It is a bit inflexible and it seems to
suggest the overall target computing does not give a big advantage in processing
time. The alternative would appear to be to offer a list
of Subjects, or something similar, so multiple targets could be
generated and evaluated. e.g.
Target
Subjects
Subject
role=nurse
Subjects
Subject
role=doctor
Subject
otherAttr=otherValueJohn
Howard. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC