MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] subject attribute designator
Polar,
Currently <SubjectMatch> element allows to match 1 attribute designator to 1
attribute value.
A sequence of subject-matches is interperted as 'and' between individual
matches.
In the target we have another element <Subject> that wraps a sequence of
subject-matches.
A sequence of <Subject> elements in the target is intepreted as 'or'.
So recursive example you give is semantically the same as my example.
I'm beginning to think that this piece is a little bit overengineered.
What if we define a <MatchType> that matches 1 attribute designator to 1
attribute value.
(I think we had this before f2f)
Elements of <MatchType> are always enclosed in <Subject>, <Resource>, or
<Action> elements. So
matches within <Subject> are subject attribute matches, matches within
resource are resoure
attribute matches, etc.
In the target we drop <Subjects> element and leave a sequence of <Subject>
elements that in turn
contain a sequence of matches. (Same for <Resources> and <Actions>)
Sequence of <Subject> elements in the target is interpreted as 'or'.
Sequence of subject mathes within
individual <Subject> element is interpreted as 'and'. (Same for <Resource>
seq and <Action> seq).
SubjectAttributeDesignator will contain optional sequence of subject matches
interperted as 'and' bettween
individual matches.
Example:
<Target> <-- note <Subjects> element gone.
<Subject>
<SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
<AttributeDesignator AttributeId="attrA"/>
<AttributeValue>a1</AttributeValue>
</SubjectMatch>
<SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
<AttributeDesignator AttributeId="AttrB"/>
<AttributeValue>b1</AttributeValue>
</SubjectMatch>
<SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
<AttributeDesignator AttributeId="AttrC"/>
<AttributeValue>c1</AttributeValue>
</SubjectMatch>
</Subject>
<Subject> <-- another subject, 'or' between <Subject> elements.
</Subject>
....
</Target>
<SubjectAttributeDesignator AttributeId="AttrA">
<SubjectMatch MatchId="string-equal"> <-- 'and' between individual
subject-matches.
<AttributeDesignator AttributeId="AttrB"/>
<AttributeValue>b1</AttributeValue>
</SubjectMatch>
<SubjectMatch MatchId="string-equal">
<AttributeDesignator AttributeId="AttrC"/>
<AttributeValue>c1</AttributeValue>
</SubjectMatch>
</SubjectAttributeDesignator>
Simon