MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] change request: subject-attribute-designator and subjectcategory
I thought the purpose of the SubjectAttributeDesignatorWhere was to get
all matches from the same subject, of which subject-category was one of
the attributes you match on.
I think we worked this out quite well, and cuts down on the machinery
needed to just select mere attributes from a subject.
Cheers,
-Polar
On Thu, 26 Sep 2002, Simon Godik wrote:
> xacml request context supports multiple <xacml-context:Subject> elements.
> Each <xacml-context:Subject> element is tagged with the subject-category, such as:
> access-subject, codesource, etc. Subject category name is unique, ie there is no
> two <xacml-context:Subject> elements in the request context with the same value of subject-category
> attribute.
>
> <xacml:Subject> element in the policy allows us to specify multiple subject matches at the same time:
> sm1 'and' sm2 'and' sm3 etc. Syntactically, context subject attribute is selected with
> <xacml:SubjectAttributeDesignator> element that names attribute-id and issuer.
>
> Very often all subject attributes must be selected from the same subject block.
>
> Proposal: Extend <xacml:SubjectAttributeDesignator> with optional SubjectCategory attribute:
> <xs:complexType name="SubjectAttributeDesignatorType">
> <xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
> <xs:attribute name="Issuer" type="xs:anyURI" use="optional"/>
> <xs:attribute name="SubjectCategory" type="xs:string" use="optional"/> <-- new attribute
> </xs:complexType>
>
> Simon
>
>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC