OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] subject attribute designator

  • 1.  [xacml] subject attribute designator

    Posted 08-08-2002 11:49
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] subject attribute designator


    Michiharu, currently subject-attribute-designator includes optional sequence of <SubjectMatch> as sub-element.
    (There is a typo in a schema in that it allows just one subject match, should be 0...unbounded).
    This maps to 'where' semantics: select attribute value for the subject-attribute attrA from request context such that
    the value of another attribute attrB for the same subject is valueB.
     
    <SubjectAttributeDesignator AttriId="attrA"> <-- select this attribute
        <SubjectMatch> <-- where
            <SubjectAttributeDesignator AttrId="B"/>
            <AttributeValue>valueB</AttributeValue>
        </SubjectMatch>
    </SubjectAttributeDesignator>
     
    <SubjectAttributeDesignator> includes <SubjectMatch> and <SubjectMatch> includes <SubjectAttributeDesignator>.
    It seems to me that this recursion is an issue here. Ann is using this recursion in her example (2).
     
    Here is Ann's example (2) without recursion:
    Select one attribute value from a subject based on a subject having another attribute with a specified value.
    Request has 2 subjects that match this query.
     
    Request context:
    <Subject>
        <Attribute AttributeId="SubjectCategory">
            <AttributeValue>access-subject</AttributeValue>
        </Attribute>
        <Attribute AttributeId="subject-identifier">
            <AttributeValue>alice</AttributeValue>
        </Attribute>
        <Attribute AttributeId="attrA">
            <AttributeValue>a1</AttributeValue> <-- same as another subject
        </Attribute>
        <Attribute AttributeId="attrB">
            <AttributeValue>b1</AttributeValue>
        </Attribute>
    </Subject>
    <Subject>
        <Attribute AttributeId="SubjectCategory">
            <AttributeValue>access-subject</AttributeValue>
        </Attribute>
        <Attribute AttributeId="subject-identifier">
            <AttributeValue>alice@acme.com</AttributeValue>
        </Attribute>
        <Attribute AttributeId="attrA">
            <AttributeValue>a1</AttributeValue> <-- same as another subject
        </Attribute>
        <Attribute AttributeId="attrB">
            <AttributeValue>b2</AttributeValue>
        </Attribute>
    </Subject>
     
    Attribute selection: select attribute attrB of the access-subject with attribute attrA equal to a1.
     
    <SubjectAttributeDesignator AttributeId="attrB">
        <SubjectMatch MatchId="string-equal">
            <SubjectAttributeDesignator AttributeId="subject-category"/>
            <AttributeValue>access-subject</AttributeValue>
        </SubjectMatch>
        <SubjectMatch MatchId="string-equal">
            <SubjectAttributeDesignator AttributeId="attrA"/>
            <AttributeValue>a1</AttributeValue>
        </SubjectMatch>
    </SubjectAttributeDesignator>
     
    This designator will match both subjects.
     
    Does it make sense? Should we remove recursion in subject-attribute-designator, so that
    subject-match does not refer to subject-attribute-designator again?
     
    Simon
     


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC