OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] subject attribute designator


On Thu, 8 Aug 2002, Simon Godik wrote:

> Polar,

> Currently <SubjectMatch> element allows to match 1 attribute
> designator to 1 attribute value. A sequence of subject-matches is
> interperted as 'and' between individual matches. In the target we have
> another element <Subject> that wraps a sequence of subject-matches. A
> sequence of <Subject> elements in the target is intepreted as 'or'.

The <Subject> thing in the Target is the source of the confusion.
It's saying that all criteria must match the same subject, where the
SubjectAttributeDesignator does just that. Therefore there are two ways. I
think the <Subjects> should just be a sequence of <SubjectMatch> citing
that they are OR'ed.

However, for the SubjectAttributeDesignator contains a sequence of
SubjectMatches would be OR'ed. and SubjectMatches contained in further
nested SubjectAttributeDesignators are ANDed. This approach gives you a
consistent disjunctive normal form. (i.e.  (a & b) | (c & d) | ... etc.

So, no matter where a sequence of <SubjectMatch> occurs, they are OR'ed.

The recursive SubjectAttributeDesignator will be AND.

That way the SubjectAttributeDesignator and its application is consistent
within the target and within the condition.

-Polar



> So recursive example you give is semantically the same as my example.
>
> I'm beginning to think that this piece is a little bit overengineered.
>
> What if we define a <MatchType> that matches 1 attribute designator to 1
> attribute value.
> (I think we had this before f2f)
> Elements of <MatchType> are always enclosed in <Subject>, <Resource>, or
> <Action> elements. So
> matches within <Subject> are subject attribute matches, matches within
> resource are resoure
> attribute matches, etc.
>
> In the target we drop <Subjects> element and leave a sequence of <Subject>
> elements that in turn
> contain a sequence of matches. (Same for <Resources> and <Actions>)
>
> Sequence of <Subject> elements in the target is interpreted as 'or'.
> Sequence of subject mathes within
> individual <Subject> element is interpreted as 'and'. (Same for <Resource>
> seq and <Action> seq).
>
> SubjectAttributeDesignator will contain optional sequence of subject matches
> interperted as 'and' bettween
> individual matches.
>
> Example:
> <Target> <-- note <Subjects> element gone.
>     <Subject>
>         <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
>             <AttributeDesignator AttributeId="attrA"/>
>             <AttributeValue>a1</AttributeValue>
>         </SubjectMatch>
>         <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
>             <AttributeDesignator AttributeId="AttrB"/>
>             <AttributeValue>b1</AttributeValue>
>         </SubjectMatch>
>         <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
>             <AttributeDesignator AttributeId="AttrC"/>
>             <AttributeValue>c1</AttributeValue>
>         </SubjectMatch>
>     </Subject>
>     <Subject> <-- another subject, 'or' between <Subject> elements.
>     </Subject>
>     ....
> </Target>
>
> <SubjectAttributeDesignator AttributeId="AttrA">
>     <SubjectMatch MatchId="string-equal"> <-- 'and' between individual
> subject-matches.
>         <AttributeDesignator AttributeId="AttrB"/>
>         <AttributeValue>b1</AttributeValue>
>     </SubjectMatch>
>     <SubjectMatch MatchId="string-equal">
>         <AttributeDesignator AttributeId="AttrC"/>
>         <AttributeValue>c1</AttributeValue>
>     </SubjectMatch>
> </SubjectAttributeDesignator>
>
> Simon
>
> ----- Original Message -----
> From: "Polar Humenn" <polar@syr.edu>
> To: "Simon Godik" <simon@godik.com>
> Cc: <xacml@lists.oasis-open.org>
> Sent: Thursday, August 08, 2002 11:22 AM
> Subject: Re: [xacml] subject attribute designator
>
>
> > On Thu, 8 Aug 2002, Simon Godik wrote:
> >
> > > <SubjectAttributeDesignator AttributeId="attrB">
> > >     <SubjectMatch MatchId="string-equal">
> > >         <SubjectAttributeDesignator AttributeId="subject-category"/>
> > >         <AttributeValue>access-subject</AttributeValue>
> > >     </SubjectMatch>
> > >     <SubjectMatch MatchId="string-equal">
> > >         <SubjectAttributeDesignator AttributeId="attrA"/>
> > >         <AttributeValue>a1</AttributeValue>
> > >     </SubjectMatch>
> > > </SubjectAttributeDesignator>
> > >
> > > This designator will match both subjects.
> > >
> > > Does it make sense? Should we remove recursion in
> subject-attribute-designator, so that
> > > subject-match does not refer to subject-attribute-designator again?
> >
> > Aren't the <SubjectMatches> supposed to be OR'ed, and the recursive
> > "where"  semantics are "AND"?
> >
> > The above says to me give me the value of the attrB attribute from the
> > subject that matches an (string-equal subject-category of access-subject)
> > OR (string-equal attrA of a1).
> >
> > Whereas:
> >
> > <SubjectAttributeDesignator AttributeId="attrB">
> >     <SubjectMatch MatchId="string-equal">
> >         <SubjectAttributeDesignator AttributeId="subject-category">
> >             <SubjectMatch MatchId="string-equal">
> >                 <SubjectAttributeDesignator AttributeId="attrA"/>
> >                 <AttributeValue>a1</AttributeValue>
> >             </SubjectMatch>
> >         </SubjectAttributeDesignator>
> >          <AttributeValue>access-subject</AttributeValue>
> >     </SubjectMatch>
> > </SubjectAttributeDesignator>
> >
> > means give me the value of the attrB attribute from THE subject that
> > matches an (string-equal subject-category of access-subject)  AND
> > (string-equal attrA of a1).
> >
> >
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
> >
> >
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC