[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] How to build a PDP request of a subject with multipleroles
hao chen schrieb: > Hi, > > I am using XACML to conduct role based access control (RBAC profile of XACML v2). I have a subject who has more than one roles such as Account Manager role and Customer Rep role. I try to submit a PDP request to ask if the subject can do account update. The resource is account; the action is update. Actually, the Account Manager role is allowed to do the account update; but Customer Rep role is not. How could I build the PDP request in XACML for a subject with more than one role. > > Is the following right? > <Subject> > <Attribute AttributeId=”&subject;role-id” > DataType=”&xml;anyURI”> > <AttributeValue>Account Manager</AttributeValue> > </Attribute> > <Attribute AttributeId=”&subject;role-id” > DataType=”&xml;anyURI”> > <AttributeValue>Customer Rep</AttributeValue> > </Attribute> > </Subject> Intuitively, I would say no, but I couldn't find a paragraph in the specification saying that. So my current guess is "yes", but it's just a guess. Since XACML supports multi-valued attributes, the following is a little simpler and should be equivalent: <Subject> <Attribute AttributeId=”&subject;role-id” DataType=”&xml;anyURI”> <AttributeValue>Account Manager</AttributeValue> <AttributeValue>Customer Rep</AttributeValue> </Attribute> </Subject> Roland
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]