OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] Handle Multiple Users/Subjects

Note that XACML supports multiple subject categories. Depending on your needs, the users can all be access subjects or one or more can be other subject categories, such as recipient-subject, intermediary-subject, codebase or requesting-machine. In principle, you can add your own if these are not sufficient. If you do need something else, the committee would like to hear about it.




From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Tuesday, January 09, 2018 11:57 AM
To: Ludwig Seitz <ludwig.seitz@ri.se>
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Handle Multiple Users/Subjects


Hi Arno,


When you model your request, do you intend to ask:

  • Can Alice and Bob both do X? --> Permit
  • Can Alice do X? Can Bob do X? Permit, Permit
  • Can Alice who is also Bob do X? Permit

This will help us determine how you would model the authorization request and policies.




On Tue, Jan 9, 2018 at 10:40 AM, Ludwig Seitz <ludwig.seitz@ri.se> wrote:

On 2018-01-09 17:14, Arno Appenzeller wrote:


I’m researching about Multi User Authorisation and decided to work on a prototype with XACML.

In the Core Spec there is a paragraph about Multiple Subjects. But if I get it right it’s more about multiple Subjects in terms of one Access-Subject which uses a Programm (as another subject) to access resource X.

In my reserach I consider the scenario where Bob and Alice are both on one system and want to access a resource.
I have several ideas how to realise this but I’m not sure if I miss a fundamental point in XACML.

Is it supported that two access-subjects request one resource in a single request?

Best regards,


I am assuming that you are referring to XACML 3.0 in my answer, the answer might be a bit different for 2.0 (too lazy to think it through).

There is nothing in the standard to prohibit you from putting multiple access-subject attributes in the request, describing both Alice and Bob.

Note that you shouldn't put them in separate <Attributes> elements, since that would trigger the Multiple Decision Profile (if your implementation supports it).

The more tricky question is how to design the policies that handle these requests. You will probably not be able to do that with Target element alone, instead you will need to use Condition elements.

Hope this helps.


Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51

To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org



David Brossard
VP of Customer Relations

+1 312 774-9163

+1 502 922 6538

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]