[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [sunxacml-discuss] Resource-id
Argyn, This is a question about how to use the XACML language itself, rather than Sun's XACML implementation. As such, I am cc'ing "xacml-comment@lists.oasis-open.org" on this response. I suggest future questions of this type go directly to "xacml-comment@lists.oasis-open.org" so the XACML TC can be aware of how people are trying to use the XACML language, and problems you may be having. This is an add-on to Seth's response. On 17 September, Kuketayev, Argyn writes: [sunxacml-discuss] Resource-id > There's a mandatory resource-id attribute in the XACML request. Spec > says that it defines identity of the resource. I have a little trouble > with this. > > If we talk in terms of object-oriented analysis, then is this > resource-id comparable to notion of Object Id? Or is it more like a > class? > > Here's an example. I have an object asset1, which is an instance of > class Asset. In the database, it's stored in a table tab_assets with > primary key columns "database" and "schema". Subsequently, class Asset > has fields "database" and "schema". > > So, the identity of the object asset1 is defined by values of the aboce > to fields, and its class name. If I serialize this object into string, > I'd have these three values. It would be something like: > "asset:database1,server1". > > Now, I'm making a XACML request. What's going to be the request-id? This seems like it might fit into the XACML Hierarchical Resources model. If the "resource-id" were expressed as something like "/server1.../Asset/database/asset1, then policies could be written giving or preventing access to anything on - "/server1...", (everything on "server1" - "/server1.../Asset" (i.e. both database and schema on server1), - "/server1.../Asset/database/" (i.e. all instances of Asset in the database on server1. I may not have the best model for your hierarchy, but this is the idea. The resource is not inherently hierarchical, but your management of it may be. You could implement this with the current XACML implementation if you use data type "...:string" for your "resource-id" and use function "regexp-string-match" to match on the set of resource-id values you want your policy to apply to. Anne > 1. If I do direct comparison to object model or database schema of my > application, then it seems like it has to be "asset:database1,server1", > i.e. primary key plus table name in terms of relational DB. In this > case, attribute comparison is a pain. What if I want to allow access to > certain databases only? Also, if I want to allow access only to assets, > but not other resources, then again I have to parse resource-id or > introduce resource-type attribute and so on. > > 2. On the other hand, I can define resource-id as simply "asset", then > primary key columns will go into other attributes of the resource. This > approach is easier for policy writing, but it gives a totally different > meaning to resource identity. > > Currently, I'm using the latter, and happy with it. Howevere, I'm not > sure that it's the right way. > > Thanks, > Argyn -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]