MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] subject attribute designator
On Thu, 8 Aug 2002, Simon Godik wrote:
> <SubjectAttributeDesignator AttributeId="attrB">
> <SubjectMatch MatchId="string-equal">
> <SubjectAttributeDesignator AttributeId="subject-category"/>
> <AttributeValue>access-subject</AttributeValue>
> </SubjectMatch>
> <SubjectMatch MatchId="string-equal">
> <SubjectAttributeDesignator AttributeId="attrA"/>
> <AttributeValue>a1</AttributeValue>
> </SubjectMatch>
> </SubjectAttributeDesignator>
>
> This designator will match both subjects.
>
> Does it make sense? Should we remove recursion in subject-attribute-designator, so that
> subject-match does not refer to subject-attribute-designator again?
Aren't the <SubjectMatches> supposed to be OR'ed, and the recursive
"where" semantics are "AND"?
The above says to me give me the value of the attrB attribute from the
subject that matches an (string-equal subject-category of access-subject)
OR (string-equal attrA of a1).
Whereas:
<SubjectAttributeDesignator AttributeId="attrB">
<SubjectMatch MatchId="string-equal">
<SubjectAttributeDesignator AttributeId="subject-category">
<SubjectMatch MatchId="string-equal">
<SubjectAttributeDesignator AttributeId="attrA"/>
<AttributeValue>a1</AttributeValue>
</SubjectMatch>
</SubjectAttributeDesignator>
<AttributeValue>access-subject</AttributeValue>
</SubjectMatch>
</SubjectAttributeDesignator>
means give me the value of the attrB attribute from THE subject that
matches an (string-equal subject-category of access-subject) AND
(string-equal attrA of a1).
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC