Hi Jan,
See responses inline.
Best regards,
Erik
Jan Herrmann wrote:
> Hi Erik, all,
>
> in your mail
> (http://lists.oasis-open.org/archives/xacml/200909/msg00095.html) you are
> identifying three different use cases. Just to make sure that I understood
> your suggestions let me summarise how I understood your use cases and add
> some comments:
>
> Use case 1:
> You have one physical resource (a book) and a XML encoded metadata doc that
> describes the physical resource.
> You are further saying that XACML can handle this case well. Is this correct
> or do the same problems exist in this use case too?
> Let me extend your example to demonstrate that similar problems can occur:
>
>
>
>
> Now assume that you try to define a rule that denies access to a book if one
> of its authors is from the requestor’s family (i.e. the miller family) and
> born after 1978.
> Doesn’t this imply similar limitations as I described in
> http://lists.oasis-open.org/archives/xacml/200909/msg00081.html?
>
I am not sure. At the very least, the attribute selector with an offset
wouldn't help anything here, since it is a request for a single
resource, so the PDP would not iterate the resource-id over anything.
I suspect that it is fairly easy to write an xpath expression which
selects a