Amir Ali, I am wondering if perhaps there is some confusion of terminology going on. By its nature, the A&D Profile, and specifically the Reduction process involves a minimum of two policies: an Access Policy and an Admin Policy which authorizes it. For them to be evaluated they must be contained in a Policy Set. This is the absolute minimum. A real world configuration might have hundreds of Policies and dozens of Policy Sets. This makes me wonder what you are actually referring to. If you mean a delegation structure for the rules within a policy, well the TC more or less decided the scheme is already pretty complicated and there is no need to make it twice as complicated. Also there is a TC principle dating back to 1.0 that Policies are the unit of administration. We don’t sign anything smaller than a Policy, for example. However, I am very pleased at your interest in the A&D Profile. I am curious about the nature of your interest. There has been discussion recently on the TC list (public archive: https://lists.oasis-open.org/archives/xacml/) to the effect that few commercial organizations see a need for these capabilities. As a result interest is fairly low. The XACML TC would be very pleased to learn of any usecase for these capabilities, even in an academic or research context. My personal belief is that either this profile will eventually satisfy some real world requirements or it will provide a basis for experimenting with its use enough to be able to devise something better. For example, I could imagine experimenting with a complex access control system in the context of supporting a comprehensive social-collaboration environment used by students and faculty. Best Regards, Hal From: Amir Ali [mailto:12msccsaali@seecs.edu.pk]
Sent: Wednesday, February 11, 2015 11:18 PM
To: Steven Legg
Cc: xacml-comment@lists.oasis-open.org
Subject: Re: [xacml-comment] Query Regarding XACML Delegation Profile v1.0 (16 April, 2009) I think it should be cleared in this profile (as we are treated it a standard), that reduction MUST be or MAY be performed against policy set or policy. I am very thankful to you for your prompt reply. On Thu, Feb 12, 2015 at 5:08 AM, Steven Legg <steven.legg@viewds.com> wrote:
Hi Amir Ali,
On 12/02/2015 4:39 AM, Amir Ali wrote:
At line # 138-139, profile says that "Reduction is always performed in the context of a request R, which is being evaluated *against a policy set*." Let me know that "*Reduction*must be performed *against a policy set*" *or we can performed reduction against a policy*". ?.
The policy set referred to in this statement is the policy set containing
the untrusted policy P, which is the policy to be reduced. The administrative
request A, generated from R and P, is evaluated against the other policies
in the policy set referred to above, i.e., the siblings of P.
Note the statement at the beginning of the Glossary:
"For simplicity, this document uses the term policy to include the XACML
definitions for both policy and policy set."
Thus the policy P may instead be a policy set, and the sibling policies that
authorize it may instead be policy sets.
Regards,
Steven
-- |