Skip to content

ComplexSubject clarification for incomplete info #32

New issue
New issue
Closed
Closed
ComplexSubject clarification for incomplete info#32
Labels
id:23H1Implementer's draft for 2023 H1
@FragLegs

Description

@FragLegs
FragLegs
opened on Sep 20, 2022

In section 3.2.1 the SSE spec says

All members within a Complex Subject MUST represent attributes of the same Subject Principal. As a whole, the Complex Subject MUST refer to exactly one Subject Principal.

I read this to mean that when examining a new security event to determine whether it matches a subject that a receiver has added to the stream, the rule is that all of the attributes of the Complex Subject must match. That is, if the receiver added this subject:

{
    "device": {
        "format": "opaque",
        "id": "1234"
    },
    "application": {
        "format": "opaque",
        "id": "5678"
    }
}

Then in order for an event to be delivered on that stream, it must have both device 1234 and application 5678.

I have three questions:

  1. Is the interpretation above correct? Or would an event that matches any of the attributes be delivered on the stream?
  2. What happens if the event has more information than the ComplexSubject? That is, would an event with device 1234, application 5678, and user foo be delivered on this stream?
  3. What happens if the event has less information than the ComplexSubject? That is, would an event with device 1234 and no application information be delivered on this stream?

We need to come to a consensus about these cases, and then I would suggest we should add enough details to the spec to make the answers clear to readers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    id:23H1Implementer's draft for 2023 H1

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions