OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] subject attribute designator

  • 1.  Re: [xacml] subject attribute designator

    Posted 08-08-2002 15:09
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] subject attribute designator


    Polar,
    Currently <SubjectMatch> element allows to match 1 attribute designator to 1
    attribute value.
    A sequence of subject-matches is interperted as 'and' between individual
    matches.
    In the target we have another element <Subject> that wraps a sequence of
    subject-matches.
    A sequence of <Subject> elements in the target is intepreted as 'or'.
    
    So recursive example you give is semantically the same as my example.
    
    I'm beginning to think that this piece is a little bit overengineered.
    
    What if we define a <MatchType> that matches 1 attribute designator to 1
    attribute value.
    (I think we had this before f2f)
    Elements of <MatchType> are always enclosed in <Subject>, <Resource>, or
    <Action> elements. So
    matches within <Subject> are subject attribute matches, matches within
    resource are resoure
    attribute matches, etc.
    
    In the target we drop <Subjects> element and leave a sequence of <Subject>
    elements that in turn
    contain a sequence of matches. (Same for <Resources> and <Actions>)
    
    Sequence of <Subject> elements in the target is interpreted as 'or'.
    Sequence of subject mathes within
    individual <Subject> element is interpreted as 'and'. (Same for <Resource>
    seq and <Action> seq).
    
    SubjectAttributeDesignator will contain optional sequence of subject matches
    interperted as 'and' bettween
    individual matches.
    
    Example:
    <Target> <-- note <Subjects> element gone.
        <Subject>
            <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
                <AttributeDesignator AttributeId="attrA"/>
                <AttributeValue>a1</AttributeValue>
            </SubjectMatch>
            <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
                <AttributeDesignator AttributeId="AttrB"/>
                <AttributeValue>b1</AttributeValue>
            </SubjectMatch>
            <SubjectMatch MatchId="string-equal"> <-- match 1 attr to 1 value
                <AttributeDesignator AttributeId="AttrC"/>
                <AttributeValue>c1</AttributeValue>
            </SubjectMatch>
        </Subject>
        <Subject> <-- another subject, 'or' between <Subject> elements.
        </Subject>
        ....
    </Target>
    
    <SubjectAttributeDesignator AttributeId="AttrA">
        <SubjectMatch MatchId="string-equal"> <-- 'and' between individual
    subject-matches.
            <AttributeDesignator AttributeId="AttrB"/>
            <AttributeValue>b1</AttributeValue>
        </SubjectMatch>
        <SubjectMatch MatchId="string-equal">
            <AttributeDesignator AttributeId="AttrC"/>
            <AttributeValue>c1</AttributeValue>
        </SubjectMatch>
    </SubjectAttributeDesignator>
    
    Simon