OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

# xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] [schema] One two many OR levels in Target Subject?

• From: Polar Humenn <polar@syr.edu>
• To: Anne Anderson <Anne.Anderson@Sun.com>
• Date: Mon, 05 Aug 2002 11:16:00 -0400 (EDT)

```
Looking at Anne's structure here, I believe her structure has this
semantics:

1. at least one Subject has
AttrA == A AND AttrB == B and AttrC == C
and AttrE == E
2. OR at least one Subject has AttrD = D

This stems from the <Subject> construct, of which I believe means AND the
sequence of <SubjectMatch> on one particular subject. Is that the correct
semantics of <Subject> within the <Subjects> construct?

If I "convert" each one of Anne's subject matches to Horn Clauses (i.e.
Prolog), we get the following, meaning that the predicate "has" can figure
out whether a particular subject has a particular attribute.

SubjectMatch1(S) :- has(S,"AttrA","A"),has(S,"AttrB","B"),has(S,"AttrC","C").
SubjectMatch2(S) :- has(S,"AttrE","E").
SubjectMatch3(S) :- has(S,"AttrD","D").

Then comes the semantics of the two <Subject> constructs that Ann creates,
of which I believe is the AND of the particular <SubjectMatch> constructs.
I label predicates Subject1 and Subject2.

Subject1(S) :- SubjectMatch1(S), SubjectMatch2(S).
Subject2(S) :- SubjectMatch3(S).

The algorithm for the <Subjects> match is to see if the Subject1 OR the
Subject2 predicate applies to the sequence of Subjects, the sequence in
prolog is denoted by [head|rest].

Subjects([S|Ss]) :- Subject1(S).
Subjects([S|Ss]) :- Subject2(S).
Subjects([_|Ss]) :- Subjects(Ss).

Is this the semantics to which we agreed?

-Polar

On Fri, 2 Aug 2002, Anne Anderson wrote:

> I think we MAY have defined one too many levels of OR in our
> Target Subject syntax.
>
> I believe the following example matches any Request in which
> 1. at least one Subject has
>    AttrA == A AND AttrB == B and AttrC == C
> 2. OR at least one Subject has
>    AttrE == E
> 3. OR at least one Subject has
>    AttrD == D
>
> But 1. and 2. are not at the same level as 3.
>
> <Target>
>     <Subjects>
>         <Subject>
>             <SubjectMatch MatchId="string-match">
>                 <SubjectAttributeDesignator AttributeId="AttrA"
>                                             DataType="xs:string">
>                     <SubjectMatch MatchId="string-match">
>                         <SubjectAttributeDesignator
>                                             AttributeId="AttrB"
>                                             DataType="xs:string">
>                             <SubjectMatch MatchId="string-match">
>                                 <SubjectAttributeDesignator
>                                             AttributeId="AttrC"
>                                             DataType="xs:string">
>                                     <AttributeValue
>                                             DataType="xs:string">
>                                         valueC
>                                     </AttributeValue>
>                                 </SubjectAttributeDesignator>
>                             </SubjectMatch>
>                             <AttributeValue DataType="xs:string">
>                                 valueB
>                             </AttributeValue>
>                         </SubjectAttributeDesignator>
>                     </SubjectMatch>
>                     <AttributeValue DataType="xs:string">
>                         valueA
>                     </AttributeValue>
>                 </SubjectAttributeDesignator>
>             </SubjectMatch>
>             <SubjectMatch MatchId="string-match">
>                 <SubjectAttributeDesignator AttributeId="AttrE"
>                                             DataType="xs:string">
>                     <AttributeValue DataType="xs:string">
>                         valueE
>                     </AttributeValue>
>                 </SubjectAttributeDesignator>
>             </SubjectMatch>
>         </Subject>
>         <Subject>
>             <SubjectMatch MatchId="string-match">
>                 <SubjectAttributeDesignator AttributeId="AttrD"
>                                             DataType="xs:string">
>                     <AttributeValue DataType="xs:string">
>                         valueD
>                     </AttributeValue>
>                 </SubjectAttributeDesignator>
>             </SubjectMatch>
>         </Subject>
>     </Subjects>
>     <Resources>
>         <AnyResource/>
>     </Resources>
>     <Actions>
>         <AnyAction/>
>     </Actions>
> </Target>
>
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>

```

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC