OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] A problem with the Target

Side note: we really should name those new elements to be <MatchAnd> and
<MatchOr>.  We are cryptic as-is.

Also - in your example, I am not sure of the intended semantics:   
OR(AND(Match1, Match2)) - what is the outer OR is for? Should not we OR
the subject matches there?

Could we just introduce <MatchOr> element, have all top level matches to
be implicitly conjunctive, and allow mixing of attribute categories
inside the disjunctive <MatchOr>?

So your example would be 
<Target>
  <MatchOr>
     <Match ..category access-subject </...>
     <Match .. category intermediate-subject </..>
  </MatchOr>
  <Match  .. category resource>
  <Match  .. category action>
</Target>

There is no need for a conjunctive match element here, and no need for
an arbitrary depth Boolean logic - such a target can be efficiently
flattened, and it is equivalent to a 2.0 target.

Daniel.

-----Original Message-----
From: Erik Rissanen [mailto:mirty@sics.se] 
Sent: Tuesday, February 20, 2007 5:15 AM
To: xacml@lists.oasis-open.org
Subject: [xacml] A problem with the Target

All,

We had a discussion earlier about the generalization of the Target. We
decided that we will not allow mixing of different attribute categories
within the same ConjunctiveMatch since this makes indexing more
difficult. This is a no-no:

<Target>
    <DisjunctiveMatch>
        <ConjunctiveMatch>
            <Match
                MatchId="string-equal">
                <AttributeValue
                    DataType="string">Alice</AttributeValue>
                <AttributeDesignator Category="access-subject"
                    AttributeId="subject-id"
                    DataType="string"/>
            </Match>
            <Match
                MatchId="string-equal">
                <AttributeValue
                    DataType="string">proxy1</AttributeValue>
                <AttributeDesignator Category="intermediate-subject"
                    AttributeId="subject-id"
                    DataType="string"/>
            </Match>
        </ConjunctiveMatch>
    </DisjunctiveMatch>
</Target>

However, this was possible with subject categories in 2.0. So we are no
longer backwards compatible with 2.0.

I have no idea how to fix this, besides to allow mixing of categories in
a ConjunctiveMatch.

Regards,
Erik

_______________________________________________________________________
Notice:  This email message, together with any attachments, may contain
information  of  BEA Systems,  Inc.,  its subsidiaries  and  affiliated
entities,  that may be confidential,  proprietary,  copyrighted  and/or
legally privileged, and is intended solely for the use of the individual
or entity named in this message. If you are not the intended recipient,
and have received this message in error, please immediately return this
by email and then delete it.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]