[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [policy-model]: group membership flatterning
> 3. pdp can maintain group hierarchy locally. by this, you mean in a practical sense, right? in other words, this device is acting as the PDP as well as the PxP? (sorry, it is early and the name of the reference/information entity isn't not coming to mind :o) or, are we assuming that the pdp is also a repository of referential data and not just decision making logic? phrased another way: how granular are we going to get with our model? it seems that there is significant variance on the playground and i don't think we have driven that stake into the ground yet. or have we? b > > Pdp can maintain a policy on how to compute group closure for various > subjects and resources. > This policy could specify combinations of 1, 2, and 3. > > One policy could be that evidence from the request should be ignored, > and direct group membership should be taken from attribute > authorities, > and group hierarchy should be kept in the pdp. > In this case input from 1 is ignored and 2 is used in 3 for closure > computation. > > Or we can take group membership from the evidence in the request only. > > Allowing pdp to specify a policy for group membership computation > provides for the most > flexibility. > > Simon Godik > Crosslogix
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC