RE: [xacml-users] Reg. <ResourceContent>

["Daniel Engovatov" <dengovatov@bea.com>]

In many systems I have dealt with subject attributes are accessible from
a directory protocol (as LDAP).  It would seem that they would be much
more suited to mapping to the name-value model of the notional context,
rather then presented as an XML document. 

But renaming the ResourceContent to Content does seem appealing for
clarification of its purpose.  But as the request is a single document,
it does NOT seem appealing to have more then one root for path
expression.

We will need to revisit our mapping to Xpath/XQuery data model anyway
once those standards reach recommendation stage (we are currently
starting (second) last call comments phase on them)

Daniel;

-----Original Message-----
From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] 
Sent: Friday, April 01, 2005 1:05 AM
To: Prakash Yamuna; Seth Proctor
Cc: Daniel Engovatov; xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Reg. <ResourceContent>

parkash,

your given example makes sence, since in a distributed workflows, the 
subject (caller) is not already known  n it is not always possible to 
extract the callers data from the database, so it will be really handy
if 
caller(subject) attributes can be enclosed in the <subjectContent>
element 
instead of their specification through some other means.

agreed ??
Muhammad.
----- Original Message ----- 
From: "Prakash Yamuna" <techpy@gmail.com>
To: "Seth Proctor" <Seth.Proctor@sun.com>
Cc: "Daniel Engovatov" <dengovatov@bea.com>; 
<xacml-users@lists.oasis-open.org>
Sent: Thursday, March 31, 2005 5:26 AM
Subject: Re: [xacml-users] Reg. <ResourceContent>


> Thanks for the response Seth - defining custom datatypes is what I
> have gone ahead with...
>
> But I was hoping somebody could throw some light as to why the XACML
> committe felt a need for <ResourceContent> but not
> <SubjectContent>...and hence my email.
>
> I am not sure I totally understand the distinction b/w using
> <ResourceContent> as a place to store XML data versus actual content
> of the resource.
>
> To me for example: a Subjec X - xml representation maybe:
> <MySubject uid="X" firstName="prakash" org="somegodforsakenorg" 
> supervisor="Y"/>
>
> So if Subject Y is deleting Subject X then:
>
> I could have said:
> <Request...>
> <SubjectContent>
> <MySubject uid="Y" firstName="mymanagerwhowillbeanonymous"
> org="somegodforsakenorg" supervisor="A"/>
> </SubjectContent>
> <ResourceContent>
> <MySubject uid="someuniqueid" firstName="prakash"
> org="somegodforsakenorg" supervisor="Y"/>
> </ResourceContent>
> <Action>
> ...
> </Request>
> Then in my policy all I had to say was if my supervisor of X is the
> subject trying to delete then go ahead and delete.
>
> I can do all this through custom datatypes and attributes - I
> understand - as I said I was more curious to understand the rationale
> than anything else...
>
> Thanks,
> prakash
>
> On Wed, 30 Mar 2005 22:08:45 -0500, Seth Proctor
<Seth.Proctor@sun.com> 
> wrote:
>
>> Yeah, I understand where you're going. Basically, don't think of
>> ResourceContent as a place to store XML data. Think of it as the
place
>> where you include the actual content of the resource you're trying to
>> access. The fact that the connonical representation is XML, and that
>> you can query it using XPath, is just a concidence :)
>>
>>
>> seth
>>
>>
>