OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] [schema] One two many OR levels in Target Subject?

  • 1.  Re: [xacml] [schema] One two many OR levels in Target Subject?

    Posted 08-03-2002 09:03
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] [schema] One two many OR levels in Target Subject?


    
    
    >1. at least one Subject has
    >   AttrA == A AND AttrB == B and AttrC == C
    >2. OR at least one Subject has
    >   AttrE == E
    >3. OR at least one Subject has
    >   AttrD == D
    
    I thought that the above expression is represented by the following
    structure but original message has a different structure.
    
    <Target>
        <Subjects>
            <Subject>
                SubjectMatch if AttrA == A
                SubjectMatch if AttrB == C
                SubjectMatch if AttrC == C
            </Subject>
            <Subject>
                SubjectMatch if AttrE == E
            </Subject>
            <Subject>
                SubjectMatch if AttrD == D
            </Subject>
        </Subjects>
    </Target>
    
    I am still not clear on a couple examples described in
    http://lists.oasis-open.org/archives/xacml/200208/msg00001.html
    
    In the first case, what does the following mean?
    
    <SubjectAttributeDesignator AttributeId="B" Category="AccessSubject">
        <SubjectMatch MatchId="string-equals">
            <SubjectAttributeDesignator AttributeID="A">
            <AttributeValue DataType="xs:string">C</AttributeValue>
        </SubjectMatch>
    </SubjectAttributeDesignator>
    
    Since <SubjectMatch> returns a boolean, it means
    <SubjectAttributeDesignator> receives a boolean value as an argument. What
    does that mean? (there are several similar expressions in that example)
    
    Michiharu Kudo
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
                                                                                                                                      
                          Anne Anderson                                                                                               
                          <Anne.Anderson@Su        To:       XACML TC <xacml@lists.oasis-open.org>                                    
                          n.com>                   cc:                                                                                
                                                   Subject:  [xacml] [schema] One two many OR levels in Target Subject?               
                          2002/08/03 03:41                                                                                            
                          Please respond to                                                                                           
                          Anne.Anderson                                                                                               
                                                                                                                                      
                                                                                                                                      
    
    
    
    I think we MAY have defined one too many levels of OR in our
    Target Subject syntax.
    
    I believe the following example matches any Request in which
    1. at least one Subject has
       AttrA == A AND AttrB == B and AttrC == C
    2. OR at least one Subject has
       AttrE == E
    3. OR at least one Subject has
       AttrD == D
    
    But 1. and 2. are not at the same level as 3.
    
    <Target>
        <Subjects>
            <Subject>
                <SubjectMatch MatchId="string-match">
                    <SubjectAttributeDesignator AttributeId="AttrA"
                                                DataType="xs:string">
                        <SubjectMatch MatchId="string-match">
                            <SubjectAttributeDesignator
                                                AttributeId="AttrB"
                                                DataType="xs:string">
                                <SubjectMatch MatchId="string-match">
                                    <SubjectAttributeDesignator
                                                AttributeId="AttrC"
                                                DataType="xs:string">
                                        <AttributeValue
                                                DataType="xs:string">
                                            valueC
                                        </AttributeValue>
                                    </SubjectAttributeDesignator>
                                </SubjectMatch>
                                <AttributeValue DataType="xs:string">
                                    valueB
                                </AttributeValue>
                            </SubjectAttributeDesignator>
                        </SubjectMatch>
                        <AttributeValue DataType="xs:string">
                            valueA
                        </AttributeValue>
                    </SubjectAttributeDesignator>
                </SubjectMatch>
                <SubjectMatch MatchId="string-match">
                    <SubjectAttributeDesignator AttributeId="AttrE"
                                                DataType="xs:string">
                        <AttributeValue DataType="xs:string">
                            valueE
                        </AttributeValue>
                    </SubjectAttributeDesignator>
                </SubjectMatch>
            </Subject>
            <Subject>
                <SubjectMatch MatchId="string-match">
                    <SubjectAttributeDesignator AttributeId="AttrD"
                                                DataType="xs:string">
                        <AttributeValue DataType="xs:string">
                            valueD
                        </AttributeValue>
                    </SubjectAttributeDesignator>
                </SubjectMatch>
            </Subject>
        </Subjects>
        <Resources>
            <AnyResource/>
        </Resources>
        <Actions>
            <AnyAction/>
        </Actions>
    </Target>
    
    --
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    
    ----------------------------------------------------------------
    To subscribe or unsubscribe from this elist use the subscription
    manager: <http://lists.oasis-open.org/ob/adm.pl>
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC