Re: [regrep] Inconsistency in RIM 2.3.5 -> Access Control

[Chiusano Joseph <chiusano_joseph@bah.com>]

<Quote>
Maybe there should be some clarification here, because if the XACML 
binding is required, how would a registry be able to support any other 
access control format at the same time?  Should their be a notion of an 
AccessControlPolicyList?
</Quote>

Suppose the relationship between a RegistryObject and its Access Control
Policy were defined using an association instead of the current
approach. Then, a Registry Object could have multiple ACP's associated
with it (this is an allusion to a forthcoming posting by Farrukh).

Furthermore, if we added a "preference"-type attribute to associations,
one could "rank" these multiple associations in the order in which they
should be "traversed" during processing. This would equate to the
AccessControlPolicy list you refer to above. The order of preference
within the list would be given by the "preference".

Joe

Matthew MacKenzie wrote:
> 
> Section 13.
> First, the section opens up on this statement:
> 
> "This chapter defines the Access Control Information Model used by the
> registry to control access to RegistryObjects and RepositoryItems
> managed by it.
> This specification first defines an abstract Access Control Model that
> enables access control policies to be defined and associated with
> RegistryObjects.
> Next, it defines a normative and required binding of that abstract model
> to [XACML].
> Finally, it defines how a registry may support additional bindings to
> custom access control technologies."
> 
> Then, further down in the subsection "Abstract Access Control Policy",
> this statement is made:
> 
> "The abstract Access Control Model allows the Access Control Policy to
> be defined in any arbitrary format as long as it is represented in the
> registry as a repositoryItem and its corresponding ExtrinsicObject."
> 
> I have no problem with either approach (although firming up on XACML
> will help interop).  I just think that these two passages are
> contradictory given that the "abstract" section indicates that it would
> indeed be possible to define your acls in a format other than XACML, and
> in fact, it is allowed, while at the same time the XACML binding to the
> abstract model is required.
> 
> Maybe there should be some clarification here, because if the XACML
> binding is required, how would a registry be able to support any other
> access control format at the same time?  Should their be a notion of an
> AccessControlPolicyList?
> 
> -Matt
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
begin:vcard 
n:Chiusano;Joseph
tel;work:(703) 902-6923
x-mozilla-html:FALSE
url:www.bah.com
org:Booz | Allen | Hamilton;IT Digital Strategies Team
adr:;;8283 Greensboro Drive;McLean;VA;22012;
version:2.1
email;internet:chiusano_joseph@bah.com
title:Senior Consultant
fn:Joseph M. Chiusano
end:vcard