OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml-comment] Multiple Request Subject elements

Hi Wes,

In a sense, a policy, policy set, or rule match subjects. Subjects do
not match policies.

In a target, each match is a boolean function. At the base level, i.e.
within <Subject> element they are combined as a conjunctive sequence (i.e.
AND) on the same particular subject in the request context. If one of the
subjects matches the whole criteria, then you have a match, and the
boolean is effectively true. Being the the <Subject> element forms a
boolean predicate itself, the <Subjects> element forms a boolean function
as a disjunctive sequence (i.e. OR) of <Subject> predicates.

How do you think this would lead to problems with security. Which


On Mon, 16 Dec 2002, Wes Kubo wrote:

> >From reading the spec I'm unclear as to whether every Subject (if more than
> one is specified) in the request must have a match in the policy (Target or
> Rule/Target) for the Target to be applicable in terms of the Subject. It was
> my gut feeling that the answer is yes, but looking at test IIB028 would lead
> my to believe otherwise. It seems to me that this could lead to problems
> with security. Can anyone shed some light on this issue?
> Thanks for your time.
> Wes
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC