[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] target-mapping
Colleagues - The topic of target-mapping has been raised. I had optimistically considered it out of scope. But, that strategy seldom works, so I won't be surprised if it doesn't work here.
The issue is that the PDP receives a request for a decision concerning a specific (named)resource. For efficiency purposes, the applicable policy may not be bound to a specific resource, but to a set of resources that includes the specific one referred to by the request. I have called this set of resources the "classification".
I think the PDP has to be configured with the algorithm for converting a resource name into a classification. Sometimes it may be an explicit attribute of the resource, supplied by the PEP, other times it may be obtained by truncating the resource's local path name, other times it may be obtained by replacing a string with a wildcard character. There is no one algorithm that serves all situations.
I believe Hal has suggested that the policy identify (in the scope section) the algorithm for mapping between a resource and a classification. The syntax, presumably, would be a URI. XACML could then define one or two algorithms and assign identifiers to these. But, this would also serve as one of our extensibility points at which others could define their own algorithms.
Any thoughts? All the best. Tim.
-----------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC