[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Attribute categories.
Doh! (...I guess I did not like the existing multiple subject design so much that I subconsciously omitted it :) ) We should add this, but it should be made in some abstract form, for example by adding a disjunctive match grouping. (We can pick up a nice name for that element - suggestions?) How about something like: <Target> <DisjunctiveMatch> <Match MatchId="...equals"> <AttributeDesignator Category="XXX"> </Match> <Match MatchId="...equals"> <AttributeDesignator Category="XXX"> </Match> </DisjunctiveMatch> <Match>... </Match> </Target> With semantics that anything inside the DisjunctiveMatch is ORed, and the rest is AND. There is no need to restrict this only to the former subject categories. That will allow to map existing subject matches into the new schema. Daniel; -----Original Message----- From: Anne Anderson - Sun Microsystems [mailto:Anne.Anderson@sun.com] Sent: Wednesday, October 04, 2006 7:42 AM To: email@example.com Subject: Re: [xacml] Attribute categories. I think this is a mistake in the new attribute categories schema. There should be an element corresponding to <Subjects>, <Resources>, ... that identifies a category under which the enclosed groupings fall. Then there should be an element corresponding to <Subject>, <Resource>, ... that identifies a specific instance of an entity in that category to which all the enclosed <Match> elements must apply. Fixing this mistake will be necessary for backwards compatibility, and also to retain functionality for specifying groupings of attributes that must apply to a specific entity. Regards, Anne Erik Rissanen wrote On 10/04/06 10:36,: > All, > > I just noticed that, if I understand this correctly, it not possible to > write a disjunction in the target with the new attribute categories > schema. In XACML 2.0 you can write: > > <Target> > <Subjects> > <Subject> > <SubjectMatch MatchId="...equals"> > <SubjectAttributeDesignator> > ...A... > </SubjectMatch> > </Subject> > <Subject> > <SubjectMatch MatchId="...equals"> > <SubjectAttributeDesignator> > ...B... > </SubjectMatch> > </Subject> > </Subjects> > </Target> > > and a request with either subject A or B would match. > > In the new attribute categories schema the Match appears directly below > Target: > > <Target> > <Match MatchId="...equals"> > <AttributeDesignator Category="Subject"> > ...A... > </Match> > </Target> > > so it is no longer possible to write a disjunction. Did I understand it > correctly? > > Regards, > Erik > > Daniel Engovatov wrote: > >>Attached is a version of the request and policy schemas implementing >>extensible attribute categories proposal, as we discussed it. >>I also attached some rendering of the changed schema type. >>Could this be uploaded somewhere, so that I can link it from wiki and >>write descriptions for all the changes? >> >>Daniel; >> >> > > > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 _______________________________________________________________________ Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.