Resource sets and resource string semantics

["Dr. Anthony Palmer" <tony@vordel.com>]

Hi all,

    I think that this discussion is trying to address multiple issues with one solution, which may be problematic. Are there not two or mabye three questions being asked here?

 

Question one:

    PEP:Can Alice access http://www.hp.com/documents/foo.txt?

    PDP: Yes, ReadOnly

    Assumes Alice knows that /documents/foo.txt exists.

 

Question two:

    PEP:What can Alice access on http://www.hp.com/?

    PDP: Alice can access:

                /documents/foo.txt       ReadOnly

                /files/Comments.doc    Read/Write

                /data/cash.xls             ReadOnly

                /daily/tasks.doc           ReadOnly

                /daily/completed.doc    Read/Write

    Alice may not know beforehand what she is able to access, or what services are available(c.f. WSDL type lookup), also the results are dependent on Alices role.

 

Question Three:

        PEP:Can Alice access http://www.hp.com/*

        PDP Yes

    This is problematic because firstly it assumes the entire contents are either open or closed to Alice. There are no levels of access specified based on roles or other criteria. Secondly, if Alice does not know what's available on hp.com question two will need to be asked.

 

Are these queries within SAML scope or best left to XACML?

see Hal's mail dated 04 May 2001 16:56 re: Resource sets and resource string semantics

 

Many Regards  

Tony Palmer Ph.D
Research and Development
Vordel
Cohesion Technologies for eBusiness
tony@vordel.com
Ph: + 353 1 215 3317
Fax: + 353 1 215 3334
http://www.vordel.com
Cranford House
Cranford Court
Dublin 4  Ireland

Bored? http://www.vordel.com/careers/jobs.html