Michiharu, currently subject-attribute-designator
includes optional sequence of <SubjectMatch> as sub-element.
(There is a typo in a schema in that it allows just
one subject match, should be 0...unbounded).
This maps to 'where' semantics: select attribute
value for the subject-attribute attrA from request context such
that
the value of another attribute attrB for the same
subject is valueB.
<SubjectAttributeDesignator AttriId="attrA">
<-- select this attribute
<SubjectMatch> <--
where
<SubjectAttributeDesignator AttrId="B"/>
<AttributeValue>valueB</AttributeValue>
</SubjectMatch> </SubjectAttributeDesignator>
<SubjectAttributeDesignator> includes
<SubjectMatch> and <SubjectMatch> includes
<SubjectAttributeDesignator>.
It seems to me that this recursion is an issue
here. Ann is using this recursion in her example (2).
Here is Ann's example (2) without
recursion:
Select one attribute value from a subject based on
a subject having another attribute with a specified value.
Request has 2 subjects that match this
query.
Request context:
<Subject>
<Attribute
AttributeId="SubjectCategory">
<AttributeValue>access-subject</AttributeValue>
</Attribute>
<Attribute
AttributeId="subject-identifier">
<AttributeValue>alice</AttributeValue>
</Attribute>
<Attribute
AttributeId="attrA">
<AttributeValue>a1</AttributeValue> <-- same as another
subject
</Attribute>
<Attribute
AttributeId="attrB">
<AttributeValue>b1</AttributeValue>
</Attribute>
</Subject>
<Subject>
<Attribute
AttributeId="SubjectCategory">
<AttributeValue>access-subject</AttributeValue>
</Attribute>
<Attribute
AttributeId="subject-identifier">
</Attribute>
<Attribute
AttributeId="attrA">
<AttributeValue>a1</AttributeValue> <-- same as another
subject
</Attribute>
<Attribute
AttributeId="attrB">
<AttributeValue>b2</AttributeValue>
</Attribute>
</Subject>
Attribute selection: select attribute attrB of
the access-subject with attribute attrA equal to a1.
<SubjectAttributeDesignator
AttributeId="attrB">
<SubjectMatch
MatchId="string-equal">
<SubjectAttributeDesignator AttributeId="subject-category"/>
<AttributeValue>access-subject</AttributeValue>
</SubjectMatch>
<SubjectMatch
MatchId="string-equal">
<SubjectAttributeDesignator AttributeId="attrA"/>
<AttributeValue>a1</AttributeValue>
</SubjectMatch>
</SubjectAttributeDesignator>
This designator will match both
subjects.
Does it make sense? Should we remove recursion in
subject-attribute-designator, so that
subject-match does not refer to
subject-attribute-designator again?
Simon
|