[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Evaluation of multiple subjects and resources
Kuketayev, Argyn (Contractor) wrote: >All my policies had exactly one subject and resource in the request. > >Now, I'm working on multiple subjects and resources per request, and a >little confused as to the evaluation rules. > >Suppose, I have S1 and S2 subjects in my request with name attributes >"the One" and "The Other", and there's a rule in the policy which says >that "name" attribute of a subject must be "The One". > >Does this request match the policy's target? S1 matches, but S2 doesn't. >What should be the result? > >The same question on multiple resources in target. > > I've been reading the spec and it seems that: 1. when there's more than one resource in the request, then there'll be a result in the response for each resource, i.ee more than one result 2. subjects are handled strangely. all attribute values from all subjects are combined in one bag per subject category. it's weird to my taste. what i dont understand is what happens if some subjects match, and some don't. in the above example, suppose, S1 and S2 have different subject categories. how does that rule evaluate? since S2 doesn't have the right name, it doesn't match. soes it mean that rule doesn't evaluate? argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]