OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] subjects (fwd)

I need a clarification:

  In a <Target>, we currently allow one or more SubjectMatch
  elements, each of which contains a MatchId, a
  SubjectAttributeDesignator/AttributeSelector and an
  AttributeValue.

  Under your proposal, I think "Example" below is a valid
  <Target>, meaning: there must be at least one <Subject> element
  in the Request where all of the following are true:

    by first SubjectMatch:
     the xxx AttributeId has a value of "ghi"
     the yyy AttributeId has a value of "abc"
     the zzz AttributeId has a value of "def"
    by second SubjectMatch:
     the aaa AttributeId has a value of "qrs"
     the bbb AttributeId has a value of "jkl"
     the ccc Attributeid has a value of "mno"

  What do we gain over having multiple <SubjectMatch> elements,
  each with a single AttributeDesignator and value to be matched?

  Example:

  <Target>
    <Subjects>
      <Subject>
        <SubjectMatch MatchId="...:string-equal">
          <SubjectAttributeDesignator AttributeId="xxx"
                                      MustBePresent="false"
            <SubjectQualifier AttributeId="yyy"
                              MustBePresent="true"
                              MatchId="...:string-equal">
              <AttributeValue DataType="...:string">abc</AttributeValue>
            </SubjectQualifier>
            <SubjectQualifier AttributeId="zzz"
                              MustBePresent="true"
                              MatchId="...:string-equal">
              <AttributeValue DataType="...:string">def</AttributeValue>
            </SubjectQualifier>
          <AttributeValue DataType="...:string:>ghi</AttributeValue>
        </SubjectMatch>
        <SubjectMatch MatchId="...:string-equal">
          <SubjectAttributeDesignator AttributeId="aaa"
                                      MustBePresent="false"
            <SubjectQualifier AttributeId="bbb"
                              MustBePresent="true"
                              MatchId="...:string-equal">
              <AttributeValue DataType="...:string">jkl</AttributeValue>
            </SubjectQualifier>
            <SubjectQualifier AttributeId="ccc"
                              MustBePresent="true"
                              MatchId="...:string-equal">
              <AttributeValue DataType="...:string">mno</AttributeValue>
            </SubjectQualifier>
          <AttributeValue DataType="...:string:>qrs</AttributeValue>
        </SubjectMatch>
      </Subject>
    </Subjects>

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC