[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] Attribute designators
"John Howard" <john.howard9@btinternet.com> wrote: >I have yet to see a use for the example (Select sa.attrA such that sa >.attrB="valB" & sa.attrC="valC"). It only seems to be of benefit > when you want to select an attribute from an anonymous Subject block Very common type of example: Select attribute "role" such that attribute "name format" == X500Name & attribute "name value" == "cn=Anne Anderson". Since we need to keep attributes simple (to avoid using XPATH to search down into structured attributes), logically connected attributes such as "name format" and "name value" will be split across multiple attributes. We need a way to select subjects that have combinations of attribute values. But there are a number of ways to accomplish this. I think the original confusion in AttributeDesignator came because some people did not want to use a recursive syntax for narrowing down, and so we added the multiple "SubjectMatch" elements per Subject. We should EITHER use multiple, non-recursive SubjectMatch elements under a single "Subject" OR use one recursive SubjectMatch element under a single "Subject" (the recursive SubjectMatch may include other SubjectMatch elements under it). The advantage of the recursive SubjectMatch element is that it can be used in either a Target or in a Condition. Anne Anderson Anne.Anderson@Sun.COM Internet Security Research Group, Sun Labs Sun Microsystems, Inc., Burlington, MA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC