Re: [xacml-users] Single request to query multiple resources withmultiple actions on each resource

[Ludwig Seitz <ludwig@axiomatics.com>]

On Tue, 2009-09-22 at 09:48 -0500, Andy Bailey wrote:
> Ludwig,
> 
> Thanks for the quick reply.
> 
> Can you provide a sample request and response using <MultiRequests>
> its not clear to me from the 3.0 spec how it works.

Sorry MultiRequests is something else (although you could probably also
achieve your goal with that). I was suggesting the method from section
2.3 in the XACML v3.0 Multiple Resource Profile.

Basically what you do is you send your request with multiple resource
and action (and whatever) elements
Example (very simplified):
Request
   Subject = Alice
   Resource = file1 (includeInResult=true)
   Resource = file2 (includeInResult=true)
   Action = read with (includeInResult=true)
   Action = write with (includeInResult=true)

And the PDP will test every combination of {file1, file2} and
{read,write}

giving you an answer like this (again very simplified):

Response
 Result = Permit
  Attributes
    Resource = file1
    Action = read
 Result = Deny
  Attributes 
    Resource = file1
    Action = write
 Result = Permit
  Attributes
    Resource = file2
    Action = read
 Result = Permit
  Attributes 
    Resource = file2
    Action = write

I have attached the "real" XACML files if you want to see the whole
thing.

> I assume the policy doesnt change at all.
> 
Except for the syntax. XACML 3.0 has introduced a few changes in the
XAMCL syntax. Have a look at the examples in the XACML 3.0 core document
to get an idea what they are.

Regards,

Ludwig Seitz

PS: Just to set things straight: Sunxacml _does_ the Multiple Resource
profile for XACML 2.0 (although I don't know if it is 100% correct).


-- 
Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Electrum 223
Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
Mail: ludwig@axiomatics.com   |

Request.xml

Response.xml

This is a digitally signed message part