OASIS eXtensible Access Control Markup Language (XACML) TC

Back to discussions
Expand all | Collapse all

[xacml] propsals for subject attribute designator clarification

  • 1.  [xacml] propsals for subject attribute designator clarification

    Posted 08-09-2002 23:45 
     MHonArc v2.5.2 -->

















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    







    Subject: [xacml] propsals for subject attribute designator clarification
    







    



    



    Here are 2 proposals to clarify 
<SubjectAttributeDesignator> element semantics.
    

     
    

    Attribute Designators.
    

     
    

    Polar.
    SubjectMatch matches 1 
attribute to 1 value.
    A sequence of <SubjectMatch>'es always 
'or'ed.
    SubjectMatches contained in further nested 
SubjectAttributeDesignators
    are 'and'ed with the parent SubjectMatch.
    Get 
rid of <Subject> element in the <Target>
    

     
    

    <Target>
    <Subjects> <-- note that 
<Subject> element is gone.
       <SubjectMatch/> <-- 
'or' between subject matches (always)
       
<SubjectMatch/>
    </Subjects>
    </Target>
    

     
    

    Select sa.attrA such that
    (sa.attrB="valB" & 
sa.attrC="valC") | (sa.attrD="valD")
    

     
    

    <SubjectAttributeDesignator 
AttributeId="attrA">
       <SubjectMatch> <-- 'or' between 
subject matches
          <SubjectAttributeDesignator 
AttributeId="AttrB">
             
<SubjectMatch> <-- 'and' with parent 
subject-match
                
<SubjectAttributeDesignator 
AttributeId="AttrC">
                
<AttributeValue>valC</AttributeValue>
             
</SubjectMatch>
          
</SubjectAttributeDesignator>
          
<AttributeValue>valB</AttributeValue>
       
</SubjectMatch>
       <SubjectMatch> <-- 'or' between 
subject matches
          <SubjectAttributeDesignator 
AttributeId="attrD"/>
          
<AttributeValue>attrD</AttributeValue>
       
</SubjectMatch>
    </SubjectAttributeDesignator>
    

     
    

    Note: this is very close to the current schema 
(Simon 0)
    with clarification that subject-matches are always 'or'ed. It is 
also
    very close to xpath selection semantics where each step narrows 
down
    previous step. This proposal calls for minimal changes to the 
current
    schema.
    

     
    

    Simon 1.
    A number of people 
expressed an opinion that semantics of
    SubjectAttributeDesignator is not 
sufficiently clear.
    If the above proposal does not clarify it, here is 
another proposal.
    

     
    

    SubjectMatch matches 1 attribute to 1 value.
    A 
sequence of <SubjectMatch>'es are always 'and'ed.
    A sequence of 
<Subject> elements in the target are always 'or'ed.
    Get rid of 
<Subjects> element in the 
<Target>.
    <SubjectAttributeDesignator> does not have a sequence 
of <SubjectMatch> es.
    Invent new 
<SubjectAttributeDesignatorWhere> element that 
extends
    <SubjectAttributeDesignator> with a sequence of 
<SubjectMatch> es.
    

     
    

    <Target>
       <Subject> 
<-- 'or' between <Subject> elements
          
<SubjectMatch/> <-- 'and' between subject matches 
(always)
          <SubjectMatch/>
       
</Subject>
       <Subject> <-- 'or' between 
<Subject> elements
       
</Subject>
    </Target>
    

     
    

    Select sa.attrA such that
    sa.attrB="valB" & 
sa.attrC="valC"
    (note that it is not possible to replicate exact example from 
Polar's
    proposal)
    

     
    

    <SubjectAttributeDesignatorWhere 
AttributeId="attrA">
       
<Where>
          <SubjectMatch> <-- 
'and' between subject 
matches
             
<SubjectAttributeDesignator 
AttributeId="attrB"/>
             
<AttributeValue>attrB</AttributeValue>
          
</SubjectMatch>
          <SubjectMatch> 
<-- 'and' between subject 
matches
             
<SubjectAttributeDesignator 
AttributeId="attrC"/>
             
<AttributeValue>attrC</AttributeValue>
          
</SubjectMatch>
       
</Where>
    </SubjectAttributeDesignatorWhere>
    


    Polar + Where:
    

    <Where> element can be integrated into Polar's proposal as 
well.
    

     
    

    <SubjectAttributeDesignator 
AttributeId="attrA">
       
<Where>
          <SubjectMatch/> <-- 
'or' between subject matches
       
</Where>
    </SubjectAttributeDesignator>
    

     
    

    Select sa.attrA such that
    (sa.attrB="valB" & 
sa.attrC="valC") | (sa.attrD="valD")
    

     
    

    <SubjectAttributeDesignator 
AttributeId="attrA">
       
<Where>
          <SubjectMatch> <-- 'or' 
between subject matches
             
<SubjectAttributeDesignator 
AttributeId="AttrB">
                
<Where>
                   
<SubjectMatch> <-- 'and' with parent 
subject-match
                      
<SubjectAttributeDesignator 
AttributeId="AttrC">
                      
<AttributeValue>valC</AttributeValue>
                   
</SubjectMatch>
                
</Where>
             
</SubjectAttributeDesignator>
             
<AttributeValue>valB</AttributeValue>
          
</SubjectMatch>
          <SubjectMatch> 
<-- 'or' between subject 
matches
             
<SubjectAttributeDesignator 
AttributeId="attrD"/>
             
<AttributeValue>attrD</AttributeValue>
          
</SubjectMatch>
       
</Where>
    </SubjectAttributeDesignator>
    

     
    

    Simon
    

     
    

    




    






    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    
  

    


    







    Powered by eList eXpress LLC


Related Content