OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-users] hierarchical resources


Hi ,

The approach which i mentioned in my first note worked
for me.Now, I am extending to it meet more complex
hierarchy based security needs which includes going up
the hierarchy.Also, the goal is to generalize the
program so much so that attributes can be defined by
users themselves along with the place where the data
resides.

Thanks,
Dhirendra Sharma


--- Hal Lockhart <hlockhar@bea.com> wrote:

> The thing to understand about hierarchical resources
> is that there are
> many different semantics possible and in use by
> various access control
> models. The XACML TC gave up on trying to support
> them all and kind of
> defined some minimal capabilities. As a result some
> semantics are easy
> to support and some are hard. IMO some of these are
> very poorly
> conceived and bound to lead to results which will
> take admins by
> surprise.
> 
> BEA has implemented hierarchical resources in order
> to support some
> existing policy models which we inherited. I will
> see if our developer
> has time to contact you off list.
> 
> Hal
> 
> > -----Original Message-----
> > From: dhirendra sharma
> [mailto:dhirendra_sh@yahoo.com]
> > Sent: Wednesday, June 21, 2006 12:06 PM
> > To: xacml-users@lists.oasis-open.org
> > Subject: [xacml-users] hierarchical resources
> > 
> > Has anyone used hierarchical resources for
> > authorization ?
> > We have a hierarchical list of companies and users
> can
> > be granted access (read, update etc.) to the
> parent
> > company and he gets access to all the children
> > companies along with the parents company that he
> was
> > granted access.
> > 
> > 
> > I am planning to do the folliowing :
> > 
> > Step 1 : Write a custom resource finder by
> extending
> > ResourceFinderModule which returns a list of
> companies
> > based on
> > the parent company.
> > 
> > Step 2: In Request context :
> > 
> > <Resource>
> >     <Attribute
> >
>
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> > 
> >
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> >       <AttributeValue>Company-id</AttributeValue>
> >     </Attribute>
> > 
> >     <Attribute
> >
>
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:scope"
> > 
> >
> DataType="http://www.w3.org/2001/XMLSchema#string";>
> >       <AttributeValue>Descendants</AttributeValue>
> >     </Attribute>
> > 
> >   </Resource>
> > 
> > 
> > Step 3: In Policy file :
> > 	Still thinking about it.Any input welcome from
> how to
> > to best practice.
> > 
> > 
> > Does this approach look correct or there is some
> > alternative better way ?
> > 
> > Thanks,
> > Dhirendra Sharma
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > 
> >
>
---------------------------------------------------------------------
> > This publicly archived list supports open
> discussion on using the
> > XACML OASIS Standard. To minimize spam in the
> archives, you
> > must subscribe before posting.
> > 
> > [Un]Subscribe/change address:
> http://www.oasis-open.org/mlmanage/
> > Alternately, using email:
> list-[un]subscribe@lists.oasis-open.org
> > List archives:
> http://lists.oasis-open.org/archives/xacml-users/
> > Committee homepage:
> http://www.oasis-open.org/committees/xacml/
> > List Guidelines:
> http://www.oasis-open.org/maillists/guidelines.php
> > Join OASIS: http://www.oasis-open.org/join/
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]