MultipleCondition

[Erik Rissanen <mirty@sics.se>]

All,

I promised during the call to send the old MultipleCondition element
specification to the list so it could serve as inspiration for
supporting multiple subjects with identical categories. Here it is as it
was in the delegation draft before I removed it:

<MultipleCondition> element

The <MultipleCondition> element SHALL condition all
<xacml-context:Attributes> elements of a given category by matching
attribute values in all of the <xacml-context:Attributes> elements with
an embedded attribute value.
The <MultipleCondition> MAY be passed to the <Apply> element as an
argument or appear in the <Condition> element.

<xs:element name="MultipleCondition" type="xacml:MultipleConditionType"
substitutionGroup="xacml:Expression"/>
<xs:complexType name="MultipleConditionType">
<xs:complexContent>
<xs:extension base="xacml:ExpressionType">
<xs:sequence>
<xs:element ref="xacml:AttributeValue"/>
</xs:sequence>
<xs:attribute name="FunctionId" type="xs:anyURI" use="required"/>
<xs:attribute name="Category" type="xs:anyURI" use="required"/>
<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
<xs:attribute name="Issuer" type="xs:string" use="optional"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>

The <MultipleCondition> element is of MultipleConditionType complex type.

The <MultipleCondition> element contains the following attributes and
elements:

FunctionId [Required]
Specifies a matching function. The value of this attribute MUST be of
type xs:anyURI, with legal values as defined in Section 7.5 of the XACML
core specification.

Category [Required]
This attribute SHALL specify the attribute category of the
<xacml-context:Attributes> elements with which to match the embedded
attribute value.

AttributeId [Required]
This attribute SHALL specify the AttributeId of the attributes with
which to match the embedded attribute value.

DataType [Required]
The embedded attribute value SHALL be matched against attributes of this
type.

Issuer [Optional]
This attribute, if supplied, SHALL specify the Issuer of attributes with
which to match the embedded attribute value.

<AttributeValue> [Required]
Embedded attribute value.


---8<---

<MultipleCondition> element evaluation

This element represents a boolean conjunctive condition on all
<Attributes> elements with a given Category.

If there are no <Attributes> elements with Category equal to the
Category of the <MultipleCondition> element in the request context, the
<MultipleCondition> expression evaluates to “True”.

For each <Attributes> element with an equal Category, the AttributeId,
DataType and Issuer attributes are used to retrieve a bag of attributes
from the <Attributes> element. An attribute from the <Attributes>
element is included in the bag iff the AttributeId of the
<MultipleCondition> is uri-equal with the AttributeId of the <Attribute>
element from the <Attributes> element, the DataType of the
<MultipleCondition> is uri-equal with the DataType of the <Attribute>
from the <Attributes> element, and, if the Issuer is present in the
<MultipleCondition>, the Issuer of the <MultipleCondition> is uri-equal
to the Issuer of the <Attribute> from the <Attributes> element.

If any of the retrieved attribute bags is empty, the <MultipleCondition>
expression evaluates to “False”.

For each retrieved attribute bag, the function indicated by the
FunctionId of the <MultipleCondition> is applied to the embedded
attribute and each attribute of the bag in turn.

If there is at least one bag with no attribute which evaluates the
function to “True”, the <MultipleCondition> evaluates to “False”. If all
bags contain at least one attribute which evaluates the function to
“True”, the <MultipleCondition> evaluates to “True”.


Regards,
Erik