[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Implementing UNIX file system acl using xacml
Marco, Must you use XACML 2.0? This is an important use case, and represents a general pattern that should be handled by XACML. The 3.0 improvements to the hierarchical profile, and perhaps the 'access-permitted' function of XACML 3.0, might help. I have not used XACML 2.0 in quite a while, so I would prefer to analyze this with respect to 3.0, but if you are stuck with 2.0 I will see what can be done. Regards, --Paul -----Original Message----- From: Ludwig Seitz [mailto:ludwig@sics.se] Sent: Monday, November 14, 2011 7:49 AM To: Marco Biagi Cc: xacml-users@lists.oasis-open.org Subject: Re: [xacml-users] Implementing UNIX file system acl using xacml On mån, 2011-11-14 at 14:29 +0100, Marco Biagi wrote: > Thank you for your new reply! > I had already take in charge this solution too, but I had discarded it > because in this way, like the previous one, the authorization logic is > not in the policy but in the function I write for example in java(in > the previous solution was in the PEP). > I think that a good solution should have authorization logic exactly > where you expect it to be, in the policy. > I think is strange that a language such as XACML, dosen't allow to > write this type of policy with its expression language. > It is possible that XACML expression language (I'm talking about the > 2.0 > version) has some limitation working on higher order bag? > Thank you in advance again! > Regards, Without looking more closely I'm inclined to believe you are right: It is a limitation of the XACML language. If you design a generic XACML extension to solve this problem, I would encourage you to submit it to the TC, it may become part of the next version of XACML. /Ludwig -- Ludwig Seitz, PhD Swedish Institute of Computer Science Ideon Science Park Building Beta 2 3v Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]