OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Multiple Subjects in a single request

Hi Seth
I have one more question on multiple subjects:
Let say i have two subjects (1 and 2) in a request. In my policy there is
a single "read" rule that should check different attributes from each
subject attribute sets. How am I going to express in the rule definition
that attr1 AND attr2 from subject1 and subject2 must be present?

Can I use rule combining functions inside of a rule. or should I define
two seperate rules to check two subject attributes
I appreciate any clarification
Thanks and have a good weekend

> Hi Mine.
> On May 23, 2005, at 10:04 PM, Mine Altunay wrote:
>> [...]
>> I could not find any additional info about subject-category attributes
>> in
>> the spec. where can I geta detailed description?
> FYI, the term "attribute" here refers to XML attributes, not XACML
> attributes. So...
>> How can I get more information about how to define policies with
>> subject
>> categories and multiple subjects? Does anyone has an example? Also, a
>> sample access request generated for multiple subjects would be very
>> beneficial to take a look at
> It's all pretty simple. Normally, you form a Request with only a single
> Subject. This Subject is actually implicitly defined in a default
> "subject category". When you refer to this subject using a
> SubjectAttributeDesignator, again, you're using the default category.
> These defaults are because the associated XML attributes have defaults.
> To include attriubtes for many Subjects in your Request, you do this:
>    <Request>
>      <Subject SubjectCategory="foo:bar">
>        ...
>      </Subject>
>      <Subject SubjectCategory="foo:baz">
>        ...
>      </Subject>
>      ...
> Note that you can still use the default category here (or omit the
> SubjectCategory attribute on one of the Subject elements).
> Now, in the Policy, you add the same new XML attribute:
>    <SubjectAttributeDesignator AttributeId="..."
>                                DataType="..."
>                                SubjectCategory="foo:bar"/>
> This says "retrive the Subject attributes from category foo:bar".
> Again, you can leave off the SubjectCategory attribute to reference the
> default category.
> That's about all there is. Make sense?
> seth

Mine Altunay
PhD student,
Computer Engineering Dept, NC State Univ
Phone: (919) 395 2789

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]