[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Multiple Subjects in a single request
Hi Seth I have one more question on multiple subjects: Let say i have two subjects (1 and 2) in a request. In my policy there is a single "read" rule that should check different attributes from each subject attribute sets. How am I going to express in the rule definition that attr1 AND attr2 from subject1 and subject2 must be present? Can I use rule combining functions inside of a rule. or should I define two seperate rules to check two subject attributes I appreciate any clarification Thanks and have a good weekend ...Mine:) > > Hi Mine. > > On May 23, 2005, at 10:04 PM, Mine Altunay wrote: >> [...] >> I could not find any additional info about subject-category attributes >> in >> the spec. where can I geta detailed description? > > FYI, the term "attribute" here refers to XML attributes, not XACML > attributes. So... > >> How can I get more information about how to define policies with >> subject >> categories and multiple subjects? Does anyone has an example? Also, a >> sample access request generated for multiple subjects would be very >> beneficial to take a look at > > It's all pretty simple. Normally, you form a Request with only a single > Subject. This Subject is actually implicitly defined in a default > "subject category". When you refer to this subject using a > SubjectAttributeDesignator, again, you're using the default category. > These defaults are because the associated XML attributes have defaults. > > To include attriubtes for many Subjects in your Request, you do this: > > <Request> > <Subject SubjectCategory="foo:bar"> > ... > </Subject> > <Subject SubjectCategory="foo:baz"> > ... > </Subject> > ... > Note that you can still use the default category here (or omit the > SubjectCategory attribute on one of the Subject elements). > > Now, in the Policy, you add the same new XML attribute: > > <SubjectAttributeDesignator AttributeId="..." > DataType="..." > SubjectCategory="foo:bar"/> > > This says "retrive the Subject attributes from category foo:bar". > Again, you can leave off the SubjectCategory attribute to reference the > default category. > > That's about all there is. Make sense? > > > seth > > -- Mine Altunay PhD student, Computer Engineering Dept, NC State Univ Phone: (919) 395 2789 E-Mail:maltuna@ncsu.edu
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]