OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Fwd: [xacml-users] hierarchical resources


---------- Forwarded message ----------
From: Argyn <jawabean@gmail.com>
Date: Jun 21, 2006 2:07 PM
Subject: Re: [xacml-users] hierarchical resources
To: seth proctor <Seth.Proctor@sun.com>


if the companies are organized truly hierarchically, like a tree, then
i'd suggest using something like X.500 names to identify companies,
then match them using regexp or similar  techniques.

if you have two companies: Parent and Child, then their names would be
something like:
"o=Parent"
and
"o=Parent,ou=Child"

now you can use rules matching names like "o=Parent", so both entries
would match. this is just an idea, i didn't try this myself.

when i was considering hierarchical resources in XACML, i wasn't
satisfied with the way they are implemented. so, i didn't use
hierarchical resources at all.

thanks
argyn

On 6/21/06, seth proctor <Seth.Proctor@sun.com> wrote:
>
> Argyn wrote:
> > your problem would be to find PDP which actually supports hierarchical
> > resources
>
> SunXACML supports the 1.x notion of Hierarchical Resources.
>
> Dhirendra - While I haven't done a lot of work with hierarchies, what
> you've described seems like a pretty reasonable approach. You could also
> think about defining the company memberships as nested groups and
> writing your policies to say "if the user is in this group" with an AFM
> or custom function that expands correctly. For that matter, you could
> just use some regexp or XPath notation, but I think that gets less
> flexible pretty quickly.
>
>
> seth
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]