RE: [xacml-dev] Evaluation of multiple subjects and resources

["Kuketayev, Argyn \(Contractor\)" <argyn_kuketayev@fanniemae.com>]

Seth

This is the place I don't understand:

If the request context contains multiple subjects with the same
SubjectCategory XML attribute, then they SHALL be treated as if they
were one categorized subject.

It's from ch 5.38 in the spec. I understand how it works, but don't get
the rationale.

Suppose, there's two subjects of the same subject category, S1 with
attribute name equal to "The one" and a role equal to "Keeper", then
there's S2 with name "The one" and role "Beeper". So, if I have a target
which required name match "The one" and a role match "Keeper", then
according to the spec these two Subjects will be treated as one subject
with two multivalued attributes name and role. This "virtual" subject
will match the target.

Thanks,
Argyn


> -----Original Message-----
> From: Seth Proctor [mailto:Seth.Proctor@sun.com] 
> Sent: Wednesday, May 25, 2005 11:18 PM
> To: argyn
> Cc: xacml-dev@lists.oasis-open.org
> Subject: Re: [xacml-dev] Evaluation of multiple subjects and resources
> 
> 
> 
> On May 25, 2005, at 9:28 PM, argyn wrote:
> > I've been reading the spec and it seems that:
> > 1. when there's more than one resource in the request, then
> > there'll be a result in the response for each resource, i.ee more  
> > than one result
> 
> That's about right. A request for multiple Resources results in one  
> or more Results in the Response. In the 1.x specifications the only  
> way to request access to multiple resources was to use the  
> Hierarchical Resource feature. In 2.0 you can simply have multiple  
> Resources in the Request.
> 
> > 2. subjects are handled strangely. all attribute values from all
> > subjects are combined in one bag per subject category. it's weird  
> > to my taste.
> 
> I'm not quite sure what you're describing here. You 
> differentiate the  
> Subjects using category identifiers. Within each category, you can  
> have as many uniquely identified attributes as you like. These are  
> not lumped into a single bag unless all attributes have the same  
> identifier. Can you explain what exactly seems wierd to you here?
> 
> FYI, there was a recent email from Mine on this list (I think) a few  
> days ago where I responded and gave a simple example of how multiple  
> Subjects and categories work. If you missed it, you should check out  
> that email for details.
> 
> > what i dont understand is what happens if some subjects match, and
> > some don't. in the above example, suppose, S1 and S2 have 
> different  
> > subject categories. how does that rule evaluate? since S2 doesn't  
> > have the right name, it doesn't match. soes it mean that rule  
> > doesn't evaluate?
> 
> Multiple Subjects work the same as with a single Subject, just you  
> need to specify categories in the Request and in your designators.  
> The logic doesn't change, nor does applicability. Even if you have  
> attributes with the same identifier in the two categories, they're  
> still distinct. I'm not sure I understand what your problem is with  
> this scenario.
> 
> 
> seth
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
> 
>