[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] need clarification on Target Matching in XACMLv2.0
hao chen schrieb: >> In case 1, there is one <Subject> with two <SubjectMatch>es. For a >> <Subject> to match, _all_ <SubjectMatches> have to match. > > In page 88 of XACML spec v2.0, it says: The absence of matching > attributes in the request context for any of the attribute > designators or selectors that are found in the policy SHALL result in > a <Decision> element containing the "Indeterminate" value. > > So, if PDP gets a request which has a subject with only 1attribute as > &role:account manager, the PDP should returns Indeterminate with > required attribute &department. Is that correct? I think I misinterpreted your first question. I thought the "department" was another role. But you clearly wrote that the department is an attribute of its own. That is, the request is: Subject: role = "account manager" And the policy states: Subject.role == "account manager" Subject.department == "customer service" I think the answer depends on the MustBePresent attribute of the <SubjectAttributeDesignator> for the department: MustBePresent="true" => Indeterminate MustBePresent="false" => NotApplicable (See 7.2.5 for details. The section you cited only applies in the case where MustBePresent=="false", which isn't obvious at all. In XACML 3.0, the wording of the section (7.15.3) has been clarified.) Roland
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]