[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: [xacml-users] hierarchical resources
---------- Forwarded message ---------- From: Argyn <jawabean@gmail.com> Date: Jun 21, 2006 2:07 PM Subject: Re: [xacml-users] hierarchical resources To: seth proctor <Seth.Proctor@sun.com> if the companies are organized truly hierarchically, like a tree, then i'd suggest using something like X.500 names to identify companies, then match them using regexp or similar techniques. if you have two companies: Parent and Child, then their names would be something like: "o=Parent" and "o=Parent,ou=Child" now you can use rules matching names like "o=Parent", so both entries would match. this is just an idea, i didn't try this myself. when i was considering hierarchical resources in XACML, i wasn't satisfied with the way they are implemented. so, i didn't use hierarchical resources at all. thanks argyn On 6/21/06, seth proctor <Seth.Proctor@sun.com> wrote: > > Argyn wrote: > > your problem would be to find PDP which actually supports hierarchical > > resources > > SunXACML supports the 1.x notion of Hierarchical Resources. > > Dhirendra - While I haven't done a lot of work with hierarchies, what > you've described seems like a pretty reasonable approach. You could also > think about defining the company memberships as nested groups and > writing your policies to say "if the user is in this group" with an AFM > or custom function that expands correctly. For that matter, you could > just use some regexp or XPath notation, but I think that gets less > flexible pretty quickly. > > > seth >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]