OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Type-is-in should be a match function

Seth - I notice that we are unclear in Section 5.8.  We say that legal
values for the matchId attribute are documented in Section A.3.  Well, all
functions are documented in Section A.3.  So, am I right in saying that
legal values for matchId are documented in Sections A.3.1 (equality
predicates) and A.3.13 (special match functions)?  All the best.  Tim.

-----Original Message-----
From: Tim Moses 
Sent: Wednesday, July 14, 2004 11:04 AM
To: 'Seth Proctor'; Tim Moses
Cc: 'XACML'
Subject: RE: [xacml] Type-is-in should be a match function


Seth - No.  You aren't answering the wrong question.  This is what I hear
...

If the context contains a multi-valued attribute and, in the Target, we want
to match on any one of the values, then we use type-equal, and not
type-is-in.  Thereby hiding the fact that the attribute is multi-valued and
the designator is a bag.

It was my misunderstanding.  Thanks for helping me out.  All the best.  Tim.

-----Original Message-----
From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
Sent: Wednesday, July 14, 2004 10:36 AM
To: Tim Moses
Cc: 'XACML'
Subject: RE: [xacml] Type-is-in should be a match function



On Wed, 2004-07-14 at 10:25, Tim Moses wrote:
> Target can contain a match function, e.g. ResourceMatch, which
> compares an attributeValue with a ResourceAttributeDesignator, which 
> is a bag of base types.

Yes, but recall how Targets are evaluated. The Designator/Selector is
evaluated to retrieve some number of values, and then for each value we
compare it to the given AttributeValue using the MatchId. For instance:

  <SubjectMatch MatchId="...:string-equal">
    <AttributeValue DataType="...#string">foo</AttributeValue>
    <SubjectAttributeDesignator DataType="...#string" ... />
  </SubjectMatch>

is legal because values are resolved for the designator, and then one at a
time they are compared to the value "foo" using the function string-equal.
If any one of the resolved values matches, then the SubjectMatch matches.

So, yes, we're working with Bags in Targets. However, from the point of view
of the Match function, we're only working on base-types. Thus, we can't use
the bag functions in Target matching. Does that make sense? Am I answering
the wrong question?


seth

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]