[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] need clarification on Target Matching in XACMLv2.0
hao chen schrieb:
>> In case 1, there is one <Subject> with two <SubjectMatch>es. For a
>> <Subject> to match, _all_ <SubjectMatches> have to match.
>
> In page 88 of XACML spec v2.0, it says: The absence of matching
> attributes in the request context for any of the attribute
> designators or selectors that are found in the policy SHALL result in
> a <Decision> element containing the "Indeterminate" value.
>
> So, if PDP gets a request which has a subject with only 1attribute as
> &role:account manager, the PDP should returns Indeterminate with
> required attribute &department. Is that correct?
I think I misinterpreted your first question. I thought the "department"
was another role. But you clearly wrote that the department is an
attribute of its own. That is, the request is:
Subject:
role = "account manager"
And the policy states:
Subject.role == "account manager"
Subject.department == "customer service"
I think the answer depends on the MustBePresent attribute of the
<SubjectAttributeDesignator> for the department:
MustBePresent="true" => Indeterminate
MustBePresent="false" => NotApplicable
(See 7.2.5 for details. The section you cited only applies in the case
where MustBePresent=="false", which isn't obvious at all. In XACML 3.0,
the wording of the section (7.15.3) has been clarified.)
Roland
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]