Re: [xacml] subjects

[Polar Humenn <polar@syr.edu>]

On Mon, 4 Nov 2002, Simon Godik wrote:

> We have an open issue with subject designators that we want to solve asap.
> There is a proposal from Polar, but I think it is too complicated for quick adoption.
>
> My proposal:
> a) Quick solution to vote on thrs: Keep current subject-attribute-designator element
> with subject-category attribute and use it in the target and apply elements. Drop
> subject-attr-desig-where. I think it will cover 95% of all cases.

I wouldn't mind this, except for having multiple subjects for a category!
It just balls everything up. I cannot tell which subject my attributes are
comming from. That really bothers me.

I think we have screwed this whole thing up with multiple subjects
requirement and not understanding the ramifications of the queries on
them.

In my latest proposal, I've added complex attributes to the elements to
pop up indeterminates in the case where you get multiple subjects matched.
I don't really like that solution. But I made the analogous IsPresent
operator use another attribute so that it returns false if the Qualifiers
select more than one subject. This also complicates the SubjectMatch in
that it has to throw an indeterminate when the designator qualifies
multiple subjects. Yuck! I hate it.

> b) Work out alternative proposal and delay voting until it is resolved

I think a better more workable solution would be to make the subjects
(i.e. lists of attributes) unique to the category, and use the present
SubjectAttributeDesignator (with the SubjectCategory part)  and get rid of
the SubjectAttributeDesignatorWhere. That's simple and I think everybody
can get their brains wrapped around that.

I think this approach will solve 95% of the simple cases as well. And
let's wait to 1.1 or 2.0 to get multiple subjects down. It's already bad
enough with multiple subject categories. Geeezzz!

Cheers,
-Polar

> Simon
>
>