OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

RE: [xacml] Type-is-in should be a match function

  • 1.  RE: [xacml] Type-is-in should be a match function

    Posted 07-14-2004 14:31
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: RE: [xacml] Type-is-in should be a match function


    
    On Wed, 2004-07-14 at 10:25, Tim Moses wrote:
    > Target can contain a match function, e.g. ResourceMatch, which compares an
    > attributeValue with a ResourceAttributeDesignator, which is a bag of base
    > types.
    
    Yes, but recall how Targets are evaluated. The Designator/Selector is
    evaluated to retrieve some number of values, and then for each value we
    compare it to the given AttributeValue using the MatchId. For instance:
    
      <SubjectMatch MatchId="...:string-equal">
        <AttributeValue DataType="...#string">foo</AttributeValue>
        <SubjectAttributeDesignator DataType="...#string" ... />
      </SubjectMatch>
    
    is legal because values are resolved for the designator, and then one at
    a time they are compared to the value "foo" using the function
    string-equal. If any one of the resolved values matches, then the
    SubjectMatch matches.
    
    So, yes, we're working with Bags in Targets. However, from the point of
    view of the Match function, we're only working on base-types. Thus, we
    can't use the bag functions in Target matching. Does that make sense? Am
    I answering the wrong question?
    
    
    seth
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]