[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml-comment] RE: XACML questions ...
Gene - I'll pass your questions on to the XACML comment list, in order to ensure that they get recorded and addressed, and that any lack of clarity is corrected.
Basically, attributes of subjects, resources and actions (but not environment) may appear in a policy's target. A policy is applicable to a request if at least one of its subject matches is true AND at least one of its resource matches is true AND at least on of its action matches is true. AttributeSelector may be used in any of these match types. In the case of a subject match, for instance, the "context" node for the XPath expression is xacml-context/Subject. And similarly for the other types.
On the other hand, AttributeSelector may also be used in an Apply element to define an argument to an expression. In this case, the "context" node for the XPath expression is the whole xacml:context. So, it can select any attribute of any entity (subject, resource, action or environment), but it has to explicitly indicate which type of entity is intended.
Hope this helps. All the best. Tim.
Powered by eList eXpress LLC