OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Combining <AttributeMatch>'s



Hi shiv,

if this is a condition that that both subjects should b present in order to 
perform an action then , i think the best place would b to put them in 
condition rather than in subject of the target i.e.

means

<condtion function:And>
<subjectAttributedesigator attributeID = "subject1">

..................
<subjectAttributedesigator attributeID = "subject2">


</condition>

This what i have understood from ur mail , may b i am wrong , if wrong plz 
correct me.

cheers
Muhammad.

----- Original Message ----- 
From: "Shiv Kaushal" <shiv@hep.man.ac.uk>
To: <xacml-users@lists.oasis-open.org>
Sent: Thursday, November 25, 2004 5:42 PM
Subject: [xacml-users] Combining <AttributeMatch>'s


> Hi all,
>
> I am new to this list and (as is likely with most newbies) I have a
> question for all you XACML experts out there. Here is a quick example of
> and ACL rule I have with the guts removed:
>
> <Rule RuleId="SomeRule" Effect="Permit">
>  <Target>
>    <Subjects>
>      <Subject>
> <SubjectMatch>
>         ......
> </SubjectMatch>
>      </Subject>
>      <Subject>
> <SubjectMatch>
>         ......
> </SubjectMatch>
>      </Subject>
>    </Subjects>
>    <Actions>
>      <Action>
>        <ActionMatch>
>           ......
>        </ActionMatch>
>      </Action>
>      <Action>
>        <ActionMatch>
>           ......
>        </ActionMatch>
>      </Action>
>    </Actions>
>  </Target>
> </Rule>
>
>
> My question is this:
>
> I gather that the above rule will allow either of the subjects to perform
> either of the actions (correct me if I am wrong). How would I alter this
> such that the request would have to match BOTH of the <Subject> tags to
> perform either of the actions(i.e. a logical AND on the two conditions)?
> An example would be that it would have to be a particular user from a
> particular IP address to be able to read and write to a particular
> file/directory.
>
> Any help greatly appreciated.
>
> Cheers,
>
> Shiv
>
> -- 
>
> *****************************************
> * Shiv Kaushal                          *
> * High Energy Physics                   *
> * Department of Physics and Astronomy   *
> * The University of Manchester          *
> * Manchester                            *
> * M13 9PL                               *
> *                                       *
> * Tel: 00 44 (0) 161 275 4223           *
> * http://www.hep.man.ac.uk/u/shiv/      *
> *****************************************
>
>
>
>
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]