[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Database schema for storing XACML policies
Hi Hal, Some of your suggestions matches exactly what i am planning to do.However, I do not have a complete picture yet. I will share once i have a complete picture. Thanks, Dhirendra Sharm Subject: RE: [xacml-users] Database schema for storing XACML policies From: "Hal Lockhart" <hlockhar@bea.com> To: "Rajesh Koilpillai" <rajesh@infravio.com>, "dhirendra sharma" <dhirendra_sh@yahoo.com>, "Argyn" <jawabean@gmail.com> Date: Thu, 22 Jun 2006 06:59:18 -0700 -------------------------------------------------------------------------------- I think the following is a sensible approach. 1. Select a portion of the Target to use as your primary key. If you are not sure what to use, I suggest using Resource. Possibly you might choose to use just a single attribute (e.g. Resource Name or Classification). 2. Extract the chosen value and put it in a primary key field in a convenient format which permits using Select statements to retrieve potentially applicable policies. 3. Put the entire policy as a blob in another field in the same record. 4. Use an API or stored procedure to implement adding and modifying records, so the Primary Key value remains consistent with the rest of the record. 5. When an access request is received use the primary key to retrieve candidate policies. Evaluate the rest of the Target and the Conditions of each to determine if it is applicable. 6. It may be desirable to generate other keys for management purposes, for example: Policy ID. This is the way we always intended Target to be used. Obviously policy evaluation will be more efficient if Policy creation is "retrieval strategy aware." For example, choosing what is put in the Target vs. Conditions. This can be done by tooling or simply user conventions. Hal > -----Original Message----- > From: Rajesh Koilpillai [mailto:rajesh@infravio.com] > Sent: Friday, June 16, 2006 1:32 AM > To: 'dhirendra sharma'; 'Argyn' > Cc: xacml-users@lists.oasis-open.org > Subject: RE: [xacml-users] Database schema for storing XACML policies > > Hi, > > You should definitely go for a more granular schema as you have suggested > in > your email in order to run fine grained SQL queries to figure out policies > applicable for a Subject, Resource or Action. Storing it as a CLOB is > going > to limit your options, when you have more policies stored in your > database. > > Thanks, > - Rajesh Koilpillai > > -----Original Message----- > From: dhirendra sharma [mailto:dhirendra_sh@yahoo.com] > Sent: Thursday, June 15, 2006 11:29 PM > To: Argyn > Cc: xacml-users@lists.oasis-open.org > Subject: Re: [xacml-users] Database schema for storing XACML policies > > Hi , > > There can be potentially thousands of policies. > How did you find applicable polcies for given request > ? > > Thanks, > Dhirendra Sharma > > --- Argyn <jawabean@gmail.com> wrote: > > > I thought about storing XACML schema in Db and gave > > up the idea. It > > didn't make a sense in my project. So, I had two > > things: > > > > 1. stored entire policy in TEXT type of field, such > > as CLOB > > 2. some policies were generated from DB tables. i > > had a table with > > start and end time columns, then the policy was > > generated using these > > two columns > > > > thanks, > > argyn > > > > On 6/15/06, dhirendra sharma > > <dhirendra_sh@yahoo.com> wrote: > > > Hi All, > > > > > > > > > Can someone share their database schema for > > > storing XACML policies ? > > > > > > We are planning to store the XACML policies in > > > Oracle 9i database. > > > Write a DatabasePolicyModule and based on > > Subject, > > > Resource,Action and optionally Environment from > > the > > > incoming Request > > > build a database SQL query and find out all > > the > > > applicable policies. > > > > > > > > > > > > > > > I have defined a simple table called - POLICY > > with > > > columns as follows : > > > --------------------------------------- > > > TARGET_ID VARCHAR2(20), > > > SUBJECT VARCHAR2(1000), > > > RESOURCE_ID VARCHAR2(1000), > > > ACTION VARCHAR2(1000), > > > POLICY VARCHAR2(4000) > > > --------------------------------------- > > > > > > Using values of subject, resource and action > > from > > > the request input, I build a SQL query and find > > out > > > matching policies. > > > > > > I have following 2 questions. > > > > > > 1). Is above table and column idea good design > > for > > > policy storage perspective or i am missing > > something ? > > > > > > 2). Where should add this call to the database > > for > > > find applicable policies in the code ? > > > > > > Thanks, > > > Dhirendra Sharma > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > > http://mail.yahoo.com > > > > > > > > > --------------------------------------------------------------------- > > > This publicly archived list supports open > > discussion on using the > > > XACML OASIS Standard. To minimize spam in the > > archives, you > > > must subscribe before posting. > > > > > > [Un]Subscribe/change address: > > http://www.oasis-open.org/mlmanage/ > > > Alternately, using email: > > list-[un]subscribe@lists.oasis-open.org > > > List archives: > > http://lists.oasis-open.org/archives/xacml-users/ > > > Committee homepage: > > http://www.oasis-open.org/committees/xacml/ > > > List Guidelines: > > http://www.oasis-open.org/maillists/guidelines.php > > > Join OASIS: http://www.oasis-open.org/join/ > > > > > > > > > > > --------------------------------------------------------------------- > > This publicly archived list supports open discussion > > on using the > > XACML OASIS Standard. To minimize spam in the > > archives, you > > must subscribe before posting. > > > > [Un]Subscribe/change address: > > http://www.oasis-open.org/mlmanage/ > > Alternately, using email: > > list-[un]subscribe@lists.oasis-open.org > > List archives: > > http://lists.oasis-open.org/archives/xacml-users/ > > Committee homepage: > > http://www.oasis-open.org/committees/xacml/ > > List Guidelines: > > http://www.oasis-open.org/maillists/guidelines.php > > Join OASIS: http://www.oasis-open.org/join/ > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on using the > XACML OASIS Standard. To minimize spam in the archives, you > must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]subscribe@lists.oasis-open.org > List archives: http://lists.oasis-open.org/archives/xacml-users/ > Committee homepage: http://www.oasis-open.org/committees/xacml/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on using the > XACML OASIS Standard. To minimize spam in the archives, you > must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]subscribe@lists.oasis-open.org > List archives: http://lists.oasis-open.org/archives/xacml-users/ > Committee homepage: http://www.oasis-open.org/committees/xacml/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]