OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] [schema] One two many OR levels in Target Subject?

  • 1.  Re: [xacml] [schema] One two many OR levels in Target Subject?

    Posted 08-05-2002 11:17
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] [schema] One two many OR levels in Target Subject?


    
    Looking at Anne's structure here, I believe her structure has this
    semantics:
    
    1. at least one Subject has
       AttrA == A AND AttrB == B and AttrC == C
       and AttrE == E
    2. OR at least one Subject has AttrD = D
    
    This stems from the <Subject> construct, of which I believe means AND the
    sequence of <SubjectMatch> on one particular subject. Is that the correct
    semantics of <Subject> within the <Subjects> construct?
    
    If I "convert" each one of Anne's subject matches to Horn Clauses (i.e.
    Prolog), we get the following, meaning that the predicate "has" can figure
    out whether a particular subject has a particular attribute.
    
    SubjectMatch1(S) :- has(S,"AttrA","A"),has(S,"AttrB","B"),has(S,"AttrC","C").
    SubjectMatch2(S) :- has(S,"AttrE","E").
    SubjectMatch3(S) :- has(S,"AttrD","D").
    
    Then comes the semantics of the two <Subject> constructs that Ann creates,
    of which I believe is the AND of the particular <SubjectMatch> constructs.
    I label predicates Subject1 and Subject2.
    
    Subject1(S) :- SubjectMatch1(S), SubjectMatch2(S).
    Subject2(S) :- SubjectMatch3(S).
    
    The algorithm for the <Subjects> match is to see if the Subject1 OR the
    Subject2 predicate applies to the sequence of Subjects, the sequence in
    prolog is denoted by [head|rest].
    
    Subjects([S|Ss]) :- Subject1(S).
    Subjects([S|Ss]) :- Subject2(S).
    Subjects([_|Ss]) :- Subjects(Ss).
    
    Is this the semantics to which we agreed?
    
    -Polar
    
    
    
    On Fri, 2 Aug 2002, Anne Anderson wrote:
    
    > I think we MAY have defined one too many levels of OR in our
    > Target Subject syntax.
    >
    > I believe the following example matches any Request in which
    > 1. at least one Subject has
    >    AttrA == A AND AttrB == B and AttrC == C
    > 2. OR at least one Subject has
    >    AttrE == E
    > 3. OR at least one Subject has
    >    AttrD == D
    >
    > But 1. and 2. are not at the same level as 3.
    >
    > <Target>
    >     <Subjects>
    >         <Subject>
    >             <SubjectMatch MatchId="string-match">
    >                 <SubjectAttributeDesignator AttributeId="AttrA"
    >                                             DataType="xs:string">
    >                     <SubjectMatch MatchId="string-match">
    >                         <SubjectAttributeDesignator
    >                                             AttributeId="AttrB"
    >                                             DataType="xs:string">
    >                             <SubjectMatch MatchId="string-match">
    >                                 <SubjectAttributeDesignator
    >                                             AttributeId="AttrC"
    >                                             DataType="xs:string">
    >                                     <AttributeValue
    >                                             DataType="xs:string">
    >                                         valueC
    >                                     </AttributeValue>
    >                                 </SubjectAttributeDesignator>
    >                             </SubjectMatch>
    >                             <AttributeValue DataType="xs:string">
    >                                 valueB
    >                             </AttributeValue>
    >                         </SubjectAttributeDesignator>
    >                     </SubjectMatch>
    >                     <AttributeValue DataType="xs:string">
    >                         valueA
    >                     </AttributeValue>
    >                 </SubjectAttributeDesignator>
    >             </SubjectMatch>
    >             <SubjectMatch MatchId="string-match">
    >                 <SubjectAttributeDesignator AttributeId="AttrE"
    >                                             DataType="xs:string">
    >                     <AttributeValue DataType="xs:string">
    >                         valueE
    >                     </AttributeValue>
    >                 </SubjectAttributeDesignator>
    >             </SubjectMatch>
    >         </Subject>
    >         <Subject>
    >             <SubjectMatch MatchId="string-match">
    >                 <SubjectAttributeDesignator AttributeId="AttrD"
    >                                             DataType="xs:string">
    >                     <AttributeValue DataType="xs:string">
    >                         valueD
    >                     </AttributeValue>
    >                 </SubjectAttributeDesignator>
    >             </SubjectMatch>
    >         </Subject>
    >     </Subjects>
    >     <Resources>
    >         <AnyResource/>
    >     </Resources>
    >     <Actions>
    >         <AnyAction/>
    >     </Actions>
    > </Target>
    >
    > --
    > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    > Sun Microsystems Laboratories
    > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
    > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    >
    >
    > ----------------------------------------------------------------
    > To subscribe or unsubscribe from this elist use the subscription
    > manager: <http://lists.oasis-open.org/ob/adm.pl>
    >
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC