[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] target-mapping
Tim writes: > The issue is that the PDP receives a request for > a decision concerning a specific (named)resource. > For efficiency purposes, the applicable policy > may not be bound to a specific resource, but to > a set of resources that includes the specific one > referred to by the request. I have called this > set of resources the "classification"... So part of the evaluation could be seen as an Xpath evaluation across an (abstract) infoset representing the collection of policies that the PDP knows about. This results in the set of policies that apply, for a given classification. But the question at hand concerns determining whether a resource has a particular attribute. From XACML's perspective there should be a consistent, abstract relationship between the resource and the attribute. How this attribute is in fact generated and returned must be hidden from the PDP; we should be able to replace one content management system (e.g. one that keeps content and attributes separate) with another (e.g. that merges content and attributes into heterogenous, perhaps XML-based structures) *without* affecting the policy expressions. > ...I think the PDP has to be configured with the > algorithm for converting a resource name into a > classification...There is no one algorithm that serves > all situations... I think this is potentially dangerous --- a roll-your-own name resolution system! The algorithm needs to be hidden behind the service interface of the attribute provider (the repository), not implemented at the requestor. Maybe I'm reading too much into some of what Tim has suggested (and by reference Hal)... John
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC