MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] subject attribute designator
On Thu, 8 Aug 2002, Simon Godik wrote:
> Polar,
> Currently <SubjectMatch> element allows to match 1 attribute
> designator to 1 attribute value. A sequence of subject-matches is
> interperted as 'and' between individual matches. In the target we have
> another element <Subject> that wraps a sequence of subject-matches. A
> sequence of <Subject> elements in the target is intepreted as 'or'.
The <Subject> thing in the Target is the source of the confusion.
It's saying that all criteria must match the same subject, where the
SubjectAttributeDesignator does just that. Therefore there are two ways. I
think the <Subjects> should just be a sequence of <SubjectMatch> citing
that they are OR'ed.
However, for the SubjectAttributeDesignator contains a sequence of
SubjectMatches would be OR'ed. and SubjectMatches contained in further
nested SubjectAttributeDesignators are ANDed. This approach gives you a
consistent disjunctive normal form. (i.e. (a & b) | (c & d) | ... etc.
So, no matter where a sequence of <SubjectMatch> occurs, they are OR'ed.
The recursive SubjectAttributeDesignator will be AND.
That way the SubjectAttributeDesignator and its application is consistent
within the target and within the condition.
-Polar
> So recursive example you give is semantically the same as my example.
>
> I'm beginning to think that this piece is a little bit overengineered.
>
> What if we define a <MatchType> that matches 1 attribute designator to 1
> attribute value.
> (I think we had this before f2f)
> Elements of <MatchType> are always enclosed in <Subject>, <Resource>, or
> <Action> elements. So
> matches within <Subject> are subject attribute matches, matches within
> resource are resoure
> attribute matches, etc.
>
> In the target we drop <Subjects> element and leave a sequence of <Subject>
> elements that in turn
> contain a sequence of matches. (Same for <Resources> and <Actions>)
>
> Sequence of <Subject> elements in the target is interpreted as 'or'.
> Sequence of subject mathes within
> individual <Subject> element is interpreted as 'and'. (Same for <Resource>
> seq and <Action> seq).
>
> SubjectAttributeDesignator will contain optional sequence of subject matches
> interperted as 'and' bettween
> individual matches.
>
> Example:
> <Target> <-- note <Subjects> element gone.
> <Subject>
> <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
> <AttributeDesignator AttributeId="attrA"/>
> <AttributeValue>a1</AttributeValue>
> </SubjectMatch>
> <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
> <AttributeDesignator AttributeId="AttrB"/>
> <AttributeValue>b1</AttributeValue>
> </SubjectMatch>
> <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
> <AttributeDesignator AttributeId="AttrC"/>
> <AttributeValue>c1</AttributeValue>
> </SubjectMatch>
> </Subject>
> <Subject> <-- another subject, 'or' between <Subject> elements.
> </Subject>
> ....
> </Target>
>
> <SubjectAttributeDesignator AttributeId="AttrA">
> <SubjectMatch MatchId="string-equal"> <-- 'and' between individual
> subject-matches.
> <AttributeDesignator AttributeId="AttrB"/>
> <AttributeValue>b1</AttributeValue>
> </SubjectMatch>
> <SubjectMatch MatchId="string-equal">
> <AttributeDesignator AttributeId="AttrC"/>
> <AttributeValue>c1</AttributeValue>
> </SubjectMatch>
> </SubjectAttributeDesignator>
>
> Simon
>
>