Re: [xacml-dev] Evaluation of multiple subjects and resources

[Seth Proctor <Seth.Proctor@sun.com>]

On May 25, 2005, at 9:28 PM, argyn wrote:
> I've been reading the spec and it seems that:
> 1. when there's more than one resource in the request, then  
> there'll be a result in the response for each resource, i.ee more  
> than one result

That's about right. A request for multiple Resources results in one  
or more Results in the Response. In the 1.x specifications the only  
way to request access to multiple resources was to use the  
Hierarchical Resource feature. In 2.0 you can simply have multiple  
Resources in the Request.

> 2. subjects are handled strangely. all attribute values from all  
> subjects are combined in one bag per subject category. it's weird  
> to my taste.

I'm not quite sure what you're describing here. You differentiate the  
Subjects using category identifiers. Within each category, you can  
have as many uniquely identified attributes as you like. These are  
not lumped into a single bag unless all attributes have the same  
identifier. Can you explain what exactly seems wierd to you here?

FYI, there was a recent email from Mine on this list (I think) a few  
days ago where I responded and gave a simple example of how multiple  
Subjects and categories work. If you missed it, you should check out  
that email for details.

> what i dont understand is what happens if some subjects match, and  
> some don't. in the above example, suppose, S1 and S2 have different  
> subject categories. how does that rule evaluate? since S2 doesn't  
> have the right name, it doesn't match. soes it mean that rule  
> doesn't evaluate?

Multiple Subjects work the same as with a single Subject, just you  
need to specify categories in the Request and in your designators.  
The logic doesn't change, nor does applicability. Even if you have  
attributes with the same identifier in the two categories, they're  
still distinct. I'm not sure I understand what your problem is with  
this scenario.


seth