OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Evaluation of multiple subjects and resources

Kuketayev, Argyn (Contractor) wrote:

>All my policies had exactly one subject and resource in the request.
>Now, I'm working on multiple subjects and resources per request, and a
>little confused as to the evaluation rules.
>Suppose, I have S1 and S2 subjects in my request with name attributes
>"the One" and "The Other", and there's a rule in the policy which says
>that "name" attribute of a subject must be "The One".
>Does this request match the policy's target? S1 matches, but S2 doesn't.
>What should be the result?
>The same question on multiple resources in target.
I've been reading the spec and it seems that:
1. when there's more than one resource in the request, then there'll be 
a result in the response for each resource, i.ee more than one result

2. subjects are handled strangely. all attribute values from all 
subjects are combined in one bag per subject category. it's weird to my 

what i dont understand is what happens if some subjects match, and some 
don't. in the above example, suppose, S1 and S2 have different subject 
categories. how does that rule evaluate? since S2 doesn't have the right 
name, it doesn't match. soes it mean that rule doesn't evaluate?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]