I would say that if you are not supporting multiple decisions, then it's an error. It might be the case that it's not explicitly mentioned in the spec. We should add this to an errata item or an implementer guide.
On 2013-03-04 01:00, rich levinson wrote:
The "issue" here is that it does not appear to me that it specifies
anywhere that a single PDP authorization decision is based on
a set of <Attributes> element each with a different Category and
that there can be at most one <Attributes> element of a specific
Category involved in a single decision.
I have been working under the assumption that this is true for
quite a while now, but recently I have tried to find the supporting
documentation to unambiguously validate that claim, and I have
been unable to do so, leaving me with the conclusion that either
the claim is wrong and that more than one <Attributes> element
of the same Category can be involved in a single decision (which
I believe to be false), or that the documentation should be improved
somewhere to emphasis this fundamental point.
The description in the 3.0 spec says:
"<Attributes> [One to Many]
Specifies information about attributes of the request context by
listing a sequence of <Attribute> elements associated with an
One or more <Attributes> elements are allowed.
Different <Attributes> elements with different categories are used
to represent information about the subject, resource, action,
environment or other categories of the access request."
While the text above might lead one to believe that one might
want to consider only including one <Attributes> element
per Category, it says nothing definitive one way or the other.
I am well aware that the multi-decision profile uses multiple
<Attributes> elements of the same Category as the basis for
generating a cross-product to generate "Individual Decision
Requests", where in section 2.3.3 it states:
"For each combination of repeated <Attributes> elements,
one Individual Decision Request SHALL be created.
This Individual Request SHALL be identical to the original
request context with one exception:
only one <Attributes> element
of each repeated category
SHALL be present."
Again, this text is useful wrt providing the ContextHandler w the
info it needs to generate multiple decision requests, however,
it does not imply that this is a requirement from the PDP side.
For example, what would happen if someone submitted a
Request with two <Attributes> elements, each for a different
Target resource, but both with the same Category, namely:
Would this be a request for which the user was asking for access
to both resources at the same time? Or would this be an error
if the multi-profile was not supported?
I don't believe questions like this can be answered w the info in
the specs as they currently exist. (unless, of course, I have missed
something, which is entirely possible :) )