OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] propsals for subject attribute designator clarification


Here are 2 proposals to clarify <SubjectAttributeDesignator> element semantics.
 
Attribute Designators.
 
Polar.
SubjectMatch matches 1 attribute to 1 value.
A sequence of <SubjectMatch>'es always 'or'ed.
SubjectMatches contained in further nested SubjectAttributeDesignators
are 'and'ed with the parent SubjectMatch.
Get rid of <Subject> element in the <Target>
 
<Target>
<Subjects> <-- note that <Subject> element is gone.
   <SubjectMatch/> <-- 'or' between subject matches (always)
   <SubjectMatch/>
</Subjects>
</Target>
 
Select sa.attrA such that
(sa.attrB="valB" & sa.attrC="valC") | (sa.attrD="valD")
 
<SubjectAttributeDesignator AttributeId="attrA">
   <SubjectMatch> <-- 'or' between subject matches
      <SubjectAttributeDesignator AttributeId="AttrB">
         <SubjectMatch> <-- 'and' with parent subject-match
            <SubjectAttributeDesignator AttributeId="AttrC">
            <AttributeValue>valC</AttributeValue>
         </SubjectMatch>
      </SubjectAttributeDesignator>
      <AttributeValue>valB</AttributeValue>
   </SubjectMatch>
   <SubjectMatch> <-- 'or' between subject matches
      <SubjectAttributeDesignator AttributeId="attrD"/>
      <AttributeValue>attrD</AttributeValue>
   </SubjectMatch>
</SubjectAttributeDesignator>
 
Note: this is very close to the current schema (Simon 0)
with clarification that subject-matches are always 'or'ed. It is also
very close to xpath selection semantics where each step narrows down
previous step. This proposal calls for minimal changes to the current
schema.
 
Simon 1.
A number of people expressed an opinion that semantics of
SubjectAttributeDesignator is not sufficiently clear.
If the above proposal does not clarify it, here is another proposal.
 
SubjectMatch matches 1 attribute to 1 value.
A sequence of <SubjectMatch>'es are always 'and'ed.
A sequence of <Subject> elements in the target are always 'or'ed.
Get rid of <Subjects> element in the <Target>.
<SubjectAttributeDesignator> does not have a sequence of <SubjectMatch> es.
Invent new <SubjectAttributeDesignatorWhere> element that extends
<SubjectAttributeDesignator> with a sequence of <SubjectMatch> es.
 
<Target>
   <Subject> <-- 'or' between <Subject> elements
      <SubjectMatch/> <-- 'and' between subject matches (always)
      <SubjectMatch/>
   </Subject>
   <Subject> <-- 'or' between <Subject> elements
   </Subject>
</Target>
 
Select sa.attrA such that
sa.attrB="valB" & sa.attrC="valC"
(note that it is not possible to replicate exact example from Polar's
proposal)
 
<SubjectAttributeDesignatorWhere AttributeId="attrA">
   <Where>
      <SubjectMatch> <-- 'and' between subject matches
         <SubjectAttributeDesignator AttributeId="attrB"/>
         <AttributeValue>attrB</AttributeValue>
      </SubjectMatch>
      <SubjectMatch> <-- 'and' between subject matches
         <SubjectAttributeDesignator AttributeId="attrC"/>
         <AttributeValue>attrC</AttributeValue>
      </SubjectMatch>
   </Where>
</SubjectAttributeDesignatorWhere>

Polar + Where:
<Where> element can be integrated into Polar's proposal as well.
 
<SubjectAttributeDesignator AttributeId="attrA">
   <Where>
      <SubjectMatch/> <-- 'or' between subject matches
   </Where>
</SubjectAttributeDesignator>
 
Select sa.attrA such that
(sa.attrB="valB" & sa.attrC="valC") | (sa.attrD="valD")
 
<SubjectAttributeDesignator AttributeId="attrA">
   <Where>
      <SubjectMatch> <-- 'or' between subject matches
         <SubjectAttributeDesignator AttributeId="AttrB">
            <Where>
               <SubjectMatch> <-- 'and' with parent subject-match
                  <SubjectAttributeDesignator AttributeId="AttrC">
                  <AttributeValue>valC</AttributeValue>
               </SubjectMatch>
            </Where>
         </SubjectAttributeDesignator>
         <AttributeValue>valB</AttributeValue>
      </SubjectMatch>
      <SubjectMatch> <-- 'or' between subject matches
         <SubjectAttributeDesignator AttributeId="attrD"/>
         <AttributeValue>attrD</AttributeValue>
      </SubjectMatch>
   </Where>
</SubjectAttributeDesignator>
 
Simon
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC