Re: [xacml-users] Implementing UNIX file system acl using xacml

[Marco Biagi <marco.biagi@netfarm.it>]

I think the best solution to the problem is to improve XACML expression 
language.
Isn’t possible add a function to this standard every time we are not 
able to express something like this case study.
It would be usefull if is added in XACML a tag to define function 
directly in XACML.
In this way I could apply defined function in xacml direcly in "high 
order bag function" like the all-of:

<Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:all-of”>
<Function FunctionId=”urn:oasis:names:tc:xacml:2.0:function:fooFunction”/>
.....
For example:

<functionDefine 
functionId="urn:oasis:names:tc:xacml:2.0:function:fooFunction">
<inputType dataType="...." />
<Apply ....

</Apply>
</functionDefine>

In this way could be possible refer the function by functionId and the 
auth logic would be expressed all in the XACML.

Thank you and best regards.

Marco

On 11/14/2011 03:03 PM, Tyson, Paul H wrote:
> his is an important use case, and represents a general pattern that should be handled by XACML.  The 3.0 improvements to the hierarchical profile, and perhaps the 'access-permitted' function of XACML 3.0, might help.
>
> I have not used XACML 2.0 in quite a while, so I would prefer to analyze this with respect to 3.0, but if you are stuck with 2.0 I will see what can be done.
>    

--
Dott. Marco Biagi

Netfarm s.r.l.
Phone: +39 050 0981576
Fax:   +39 050 777659
Web:   http://www.netfarm.it/
Email: marco.biagi@netfarm.it