Re: [xacml] What if multiple values found?

[Anne Anderson <Anne.Anderson@Sun.COM>]

Hi Rich,

The Request Context is a "notional view" of all Attributes that the PDP 
should take into account in evaluating its policies.  The XACML 
specification does not specify how that Request Context will be 
populated, nor what policies are used in deciding which Attribute values 
to make available.  Those are implementation and deployment dependent.

It is up to the implementation of the Context Handler and the local 
policies on how that Context Handler will be used to determine the 
sources of Attributes.  A Request Context supplied by a PEP is not 
necessarily what the PDP will use, and typically will be used to seed 
the Request Context used for evaluation.  It is up to the local Context 
Handler implementation and policies as to whether an external source 
will be queried if the Request Context seeded from the PEP's input 
already contains one or more values for a given Attribute.

Anne

Rich Salz wrote:

> A couple of detailed questions; if it's better for me to ask on
> the xacml-dev list, let me know.
> 
> 1. What do you do if the Request context specifies a value for an
> attribute, but the SAML repository or whatever external source you are
> using also has a value for that attribute?
> 
> 2. Is that the same thing you do if multiple external sources provide
> values for that attribute?
> 
> Thanks.
> 
>         /r$
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA