OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Clarification of text in 3.0

OK, many thanks

 

From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Thursday, April 07, 2011 11:45 AM
To: Anthony Nadalin
Cc: xacml
Subject: Re: [xacml] Clarification of text in 3.0

 

Hi Anthony,

You're reading it at the wrong level.

A target can contain any number of Any Of elements. But the behavior of the target as to whether it matches is that all its direct children i.e. all the Any Of be a 'Match'.

What you described is the behavior inside the Any Of.

Example:

Target
   AnyOf1
   AnyOf2
   AnyOf3
      AllOf1
      AllOf2
         a
         b

This target will match if and only if AnyOf1 AND AnyOf2 AND AnyOf3 match.
AnyOf3 will match if and only if EITHER AllOf1 or AllOf2 match.
AllOf2 will match if and only if a AND b match.

Cheers,
David.

On Thu, Apr 7, 2011 at 7:15 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:

Section 7.7 says

An empty target matches any request. Otherwise the target value SHALL be "Match" if all the AnyOf
specified in the target match values in the request context.  Otherwise, if any one of the AnyOf specified
in the target is "No Match", then the target SHALL be "No Match".

But the example in section 4.2.4.4 says

The <AnyOf> element contains two <AllOf> elements, each of which contains one <Match>
element.  The target matches if the action identified in the request context matches either of the action
match criteria.

The example corresponds to the common-sense meaning of "AnyOf" while the text in 7.7 does not.  Should 7.7 read this way instead?

An empty target matches any request. Otherwise the target value SHALL be "Match" if any of the AnyOf
specified in the target match values in the request context.  Otherwise, if all of the AnyOf specified
in the target is "No Match", then the target SHALL be "No Match".


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php




--
David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]