xacml-dev message

Subject: Re: [xacml-dev] Multiple Subjects in a single request

From: "Mine Altunay" <maltuna@ncsu.edu>
To: "Seth Proctor" <Seth.Proctor@sun.com>
Date: Fri, 27 May 2005 16:19:39 -0400 (EDT)

Hi Seth
I have one more question on multiple subjects:
Let say i have two subjects (1 and 2) in a request. In my policy there is
a single "read" rule that should check different attributes from each
subject attribute sets. How am I going to express in the rule definition
that attr1 AND attr2 from subject1 and subject2 must be present?

Can I use rule combining functions inside of a rule. or should I define
two seperate rules to check two subject attributes
I appreciate any clarification
Thanks and have a good weekend
...Mine:)



>
> Hi Mine.
>
> On May 23, 2005, at 10:04 PM, Mine Altunay wrote:
>> [...]
>> I could not find any additional info about subject-category attributes
>> in
>> the spec. where can I geta detailed description?
>
> FYI, the term "attribute" here refers to XML attributes, not XACML
> attributes. So...
>
>> How can I get more information about how to define policies with
>> subject
>> categories and multiple subjects? Does anyone has an example? Also, a
>> sample access request generated for multiple subjects would be very
>> beneficial to take a look at
>
> It's all pretty simple. Normally, you form a Request with only a single
> Subject. This Subject is actually implicitly defined in a default
> "subject category". When you refer to this subject using a
> SubjectAttributeDesignator, again, you're using the default category.
> These defaults are because the associated XML attributes have defaults.
>
> To include attriubtes for many Subjects in your Request, you do this:
>
>    <Request>
>      <Subject SubjectCategory="foo:bar">
>        ...
>      </Subject>
>      <Subject SubjectCategory="foo:baz">
>        ...
>      </Subject>
>      ...
> Note that you can still use the default category here (or omit the
> SubjectCategory attribute on one of the Subject elements).
>
> Now, in the Policy, you add the same new XML attribute:
>
>    <SubjectAttributeDesignator AttributeId="..."
>                                DataType="..."
>                                SubjectCategory="foo:bar"/>
>
> This says "retrive the Subject attributes from category foo:bar".
> Again, you can leave off the SubjectCategory attribute to reference the
> default category.
>
> That's about all there is. Make sense?
>
>
> seth
>
>


-- 
Mine Altunay
PhD student,
Computer Engineering Dept, NC State Univ
Phone: (919) 395 2789
E-Mail:maltuna@ncsu.edu

Follow-Ups:
- Re: [xacml-dev] Multiple Subjects in a single request
  - From: Seth Proctor <Seth.Proctor@sun.com>

References:
- RE: [xacml-dev] Conformance Tests for V2
  - From: "Kuketayev, Argyn \(Contractor\)" <argyn_kuketayev@fanniemae.com>
- Re: [xacml-dev] Conformance Tests for V2
  - From: Seth Proctor <Seth.Proctor@sun.com>
- Multiple Subjects in a single request
  - From: "Mine Altunay" <maltuna@ncsu.edu>
- Re: [xacml-dev] Multiple Subjects in a single request
  - From: Seth Proctor <Seth.Proctor@sun.com>