Multiple subjects in XACML

[Erik Rissanen <mirty@sics.se>]

All,

We discussed issue 63, Generalization of multiple resources during the
15 Feb 2007 meeting.

http://wiki.oasis-open.org/xacml/IssuesList

There was disagreement on whether multiple subjects with identical
subject categories are allowed (or, more precisely, whether they are
seen as distinct subjects).

I pointed to the 2.0 spec. On page 70 it says:

--8<--
If more than one <Subject> element contains a
"urn:oasis:names:tc:xacml:2.0:subject-category" attribute with the same
value, then the PDP SHALL treat the contents of those elements as if
they were contained in the same <Subject> element.
--8<--

On page 63 it also says:

--8<--
If the request context contains multiple subjects with the same
SubjectCategory XML attribute, then they SHALL be treated as if they
were one categorized subject.
--8<--

Hal raised the concern that this is a bug in 2.0, since there could for
instance be multiple intermediate subjects, and this was a use case
which 2.0 should handle.

I wasn't a member of the TC when 2.0 was designed, so I don't know if it
is a bug or a feature, but if it is a bug, it's a major one. If the
multiple subjects are really considered to be distinct subjects, there
are still no mechanisms by which policies can refer to them in a
meaningful manner. If an attribute designator is used to fetch
attributes from the request, it would mix up the attributes from
different distinct subjects. This is the same problem which we had with
multiple distinct IndirectDelegates, which is the reason I introduced
the MultipleCondition, which could be used to constrain distinct
indirect delegates.

Regards,
Erik