Attributes for domain objects

[Adam Constabaris <adamc@unc.edu>]

I would like to be able to write policies for domain objects of several
types.  There will be a policy for documents, another policy for groups,
and another for membership in groups (yep, this is all following on the
previous message about the 'multi-group RBAC' domain).  It seems to me
that the right way to write policies/policy sets for these objects is to
restrict the Targets by resource type ("this is the document policy",
"this is the group policy", etc.)

The general question is whether there's some wisdom (hopefully tested 
wisdom =) on how to accomplish this.  I've had two basic thoughts, one 
of which is to try to mush the object type into the resource-id 
attribute, and the other of which is to add a resource-type attribute. 
I have what I think is a reasonably common database-backed application, 
where the the domain objects have identifiers which are (a) numeric and 
(b) broadly meaningless outside the application domain.

The mushing approach involves, e.g. generating resource IDs by 
prepending some short string singling out the type ("document-NNN", 
"group-NNN", "membership-NNN") and use the result as the resource ID. 
The policies can then use a regexp matching function to match requests 
to read or modify resources of the relevant type.

A variation on this would be to adopt an XML namespace-based URI
(or RFC 4151-style "Tag URI")  as the resource ID for each object (this
also appeals because we'll probably want to use RDF to describe the 
domain objects).

The other approach that suggests itself is to add a new Resource 
attribute specifying the type of thing the policy applies to.  Since our 
application lives in Java-land, the ready-to-hand approach here would be 
to use the fully qualified class names.  The PEP and the 
request-generating code all "live inside" our application, but we may 
want to open things up to outside requests some day.

How are other folks handling this sort of situation?