MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] [schema] One two many OR levels in Target Subject?
Looking at Anne's structure here, I believe her structure has this
semantics:
1. at least one Subject has
AttrA == A AND AttrB == B and AttrC == C
and AttrE == E
2. OR at least one Subject has AttrD = D
This stems from the <Subject> construct, of which I believe means AND the
sequence of <SubjectMatch> on one particular subject. Is that the correct
semantics of <Subject> within the <Subjects> construct?
If I "convert" each one of Anne's subject matches to Horn Clauses (i.e.
Prolog), we get the following, meaning that the predicate "has" can figure
out whether a particular subject has a particular attribute.
SubjectMatch1(S) :- has(S,"AttrA","A"),has(S,"AttrB","B"),has(S,"AttrC","C").
SubjectMatch2(S) :- has(S,"AttrE","E").
SubjectMatch3(S) :- has(S,"AttrD","D").
Then comes the semantics of the two <Subject> constructs that Ann creates,
of which I believe is the AND of the particular <SubjectMatch> constructs.
I label predicates Subject1 and Subject2.
Subject1(S) :- SubjectMatch1(S), SubjectMatch2(S).
Subject2(S) :- SubjectMatch3(S).
The algorithm for the <Subjects> match is to see if the Subject1 OR the
Subject2 predicate applies to the sequence of Subjects, the sequence in
prolog is denoted by [head|rest].
Subjects([S|Ss]) :- Subject1(S).
Subjects([S|Ss]) :- Subject2(S).
Subjects([_|Ss]) :- Subjects(Ss).
Is this the semantics to which we agreed?
-Polar
On Fri, 2 Aug 2002, Anne Anderson wrote:
> I think we MAY have defined one too many levels of OR in our
> Target Subject syntax.
>
> I believe the following example matches any Request in which
> 1. at least one Subject has
> AttrA == A AND AttrB == B and AttrC == C
> 2. OR at least one Subject has
> AttrE == E
> 3. OR at least one Subject has
> AttrD == D
>
> But 1. and 2. are not at the same level as 3.
>
> <Target>
> <Subjects>
> <Subject>
> <SubjectMatch MatchId="string-match">
> <SubjectAttributeDesignator AttributeId="AttrA"
> DataType="xs:string">
> <SubjectMatch MatchId="string-match">
> <SubjectAttributeDesignator
> AttributeId="AttrB"
> DataType="xs:string">
> <SubjectMatch MatchId="string-match">
> <SubjectAttributeDesignator
> AttributeId="AttrC"
> DataType="xs:string">
> <AttributeValue
> DataType="xs:string">
> valueC
> </AttributeValue>
> </SubjectAttributeDesignator>
> </SubjectMatch>
> <AttributeValue DataType="xs:string">
> valueB
> </AttributeValue>
> </SubjectAttributeDesignator>
> </SubjectMatch>
> <AttributeValue DataType="xs:string">
> valueA
> </AttributeValue>
> </SubjectAttributeDesignator>
> </SubjectMatch>
> <SubjectMatch MatchId="string-match">
> <SubjectAttributeDesignator AttributeId="AttrE"
> DataType="xs:string">
> <AttributeValue DataType="xs:string">
> valueE
> </AttributeValue>
> </SubjectAttributeDesignator>
> </SubjectMatch>
> </Subject>
> <Subject>
> <SubjectMatch MatchId="string-match">
> <SubjectAttributeDesignator AttributeId="AttrD"
> DataType="xs:string">
> <AttributeValue DataType="xs:string">
> valueD
> </AttributeValue>
> </SubjectAttributeDesignator>
> </SubjectMatch>
> </Subject>
> </Subjects>
> <Resources>
> <AnyResource/>
> </Resources>
> <Actions>
> <AnyAction/>
> </Actions>
> </Target>
>
> --
> Anne H. Anderson Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311 Tel: 781/442-0928
> Burlington, MA 01803-0902 USA Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC