OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] subject attribute designator

  • 1.  Re: [xacml] subject attribute designator

    Posted 08-08-2002 14:23
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] subject attribute designator


    On Thu, 8 Aug 2002, Simon Godik wrote:
    
    > <SubjectAttributeDesignator AttributeId="attrB">
    >     <SubjectMatch MatchId="string-equal">
    >         <SubjectAttributeDesignator AttributeId="subject-category"/>
    >         <AttributeValue>access-subject</AttributeValue>
    >     </SubjectMatch>
    >     <SubjectMatch MatchId="string-equal">
    >         <SubjectAttributeDesignator AttributeId="attrA"/>
    >         <AttributeValue>a1</AttributeValue>
    >     </SubjectMatch>
    > </SubjectAttributeDesignator>
    >
    > This designator will match both subjects.
    >
    > Does it make sense? Should we remove recursion in subject-attribute-designator, so that
    > subject-match does not refer to subject-attribute-designator again?
    
    Aren't the <SubjectMatches> supposed to be OR'ed, and the recursive
    "where"  semantics are "AND"?
    
    The above says to me give me the value of the attrB attribute from the
    subject that matches an (string-equal subject-category of access-subject)
    OR (string-equal attrA of a1).
    
    Whereas:
    
    <SubjectAttributeDesignator AttributeId="attrB">
        <SubjectMatch MatchId="string-equal">
            <SubjectAttributeDesignator AttributeId="subject-category">
                <SubjectMatch MatchId="string-equal">
                    <SubjectAttributeDesignator AttributeId="attrA"/>
                    <AttributeValue>a1</AttributeValue>
                </SubjectMatch>
            </SubjectAttributeDesignator>
             <AttributeValue>access-subject</AttributeValue>
        </SubjectMatch>
    </SubjectAttributeDesignator>
    
    means give me the value of the attrB attribute from THE subject that
    matches an (string-equal subject-category of access-subject)  AND
    (string-equal attrA of a1).
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC