Attached are some examples of using [Subject]AttributeDesignator and Target with the new schema syntax. Simon and I came up with these after the F2F today, so we were both pretty wiped out and they may not cover the really interesting cases. Please send comments if more cases needed. P.S. syntax is not precise, but is conceptually same as schema 16d. 16d does not yet include the multiple <SubjectMatch> elements that are ANDed together. Multiple <Subject> elements are ORed together. Anne Anderson
Anne.Anderson@Sun.COM Internet Security Research Group, Sun Labs Sun Microsystems, Inc., Burlington, MA --- Begin Message --- From : Anne Anderson <
aha@ieee.org> To :
Anne.Anderson@sun.com Date : Wed, 31 Jul 2002 20:43:50 -0400 () 1. AttributeID=B for AccessSubject that has AttributeID=A with value C. Request has: <Subject Category="AccessSubject"> <Attribute AttributeID="B"> <AttributeValue>D</AttributeValue> </Attribute> <Attribute AttributeID="A"> <AttributeValue>C</AttributeValue> </Attribute> </Subject> A SubjectAttributeDesignator that does 1. is: <SubjectAttributeDesignator AttributeId="B" Category="AccessSubject"> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="A"> <AttributeValue DataType="xs:string">C</AttributeValue> </SubjectMatch> </SubjectAttributeDesignator> A Target that does 1. is: <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="A"> <AttributeValue DataType="xs:string">C</AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target> 2. AttributeID=B for AccessSubject that has AttributeID=A with value C against a Context has two <Subject> elements with Category="AccessSubject" and both have AttributeID="B" and AttributeID="A" with value C. (they have different SubjectId attributes). Context has: <Subject Category="AccessSubject"> <Attribute AttributeId="SubjectIdentifier"> <AttributeValue>
Anne.Anderson@Sun.COM</AttributeValue> </Attribute> <Attribute AttributeID="B"> <AttributeValue>D</AttributeValue> </Attribute> <Attribute AttributeID="A"> <AttributeValue>C</AttributeValue> </Attribute> </Subject> <Subject Category="AccessSubject"> <Attribute AttributeId="SubjectIdentifier"> <AttributeValue>Anne</AttributeValue> </Attribute> <Attribute AttributeID="B"> <AttributeValue>D</AttributeValue> </Attribute> <Attribute AttributeID="A"> <AttributeValue>C</AttributeValue> </Attribute> </Subject> <SubjectAttributeDesignator AttributeId="B" Category="AccessSubject"> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="A"> <AttributeValue DataType="xs:string">C</AttributeValue> </SubjectMatch> </SubjectAttributeDesignator> returns sequence of two Attribute with AttributeId="B" <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="A"> <AttributeValue DataType="xs:string">C</AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target> matches both Subjects 3. Want to have Target that matches either Context <Subjects> that has AttributeID=B with value C OR Context <Subjects> that have AttributeId="D" with value "E". <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="B"> <AttributeValue DataType="xs:string">C</AttributeValue> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="string-equals"> <SubjectAttributeDesignator AttributeID="D"> <AttributeValue DataType="xs:string">E</AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target> Cases: 1. Target combination of two subjects, each with a specific attribute 2. Target combination of both of two attributes for a specific subject 3. Target combination of either of two attributes for a specific subject --- End Message ---