[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Possible future XACML TC work
Hi, Now I'm wondering if my comments in my previous mail make no sense if I'm not talking about different requests. >>I assume you're talking about different requests This time, I'm talking about different requests. My original motivation was to evaluate a policy for hierarchical resources efficiently. For example, consider a policy with three rules (with the same condition) for the root resource and two child resources, and assume that we want to evaluate the policy for the root resource and get the evaluation results not only for ROOT, but also for CHILD1 and CHILD2. (according to Section 7.8) <Condition id="c1"> <!-- the definition of "c1" --> A condition description is here. </Condition> <Rule RuleId="r1" Effect="Permit"> <Target> resource-id=ROOT and action-id=READ </Target> <Condition ref="c1"> <!-- just a reference --> </Rule> <Rule RuleId="r2" Effect="Permit"> <Target> resource-id=CHILD1 and action-id=READ </Target> <Condition ref="c1"> <!-- just a reference --> </Rule> <Rule RuleId="r3" Effect="Permit"> <Target> resource-id=CHILD2 and action-id=READ </Target> <Condition ref="c1"> <!-- just a reference --> </Rule> Then we need to evaluate this policy using three different requests, which I think are the same except for the value of the resource-id attribute. The evaluation scenario with the condition cache is like this: When the first request for ROOT is evaluated, "r1" is matched and "c1" is evaluated. Then the second and third requests for CHILD1 and CHILD2 are evaluted, "r2" and "r3" are matched, and so we can reuse the evaluation result of "c1". (Here I'm assuming that the resource-id is not referenced in the condition "c1". For example, a condition on "current-date") Does this make sense? Satoshi Hada IBM Tokyo Research Laboratory mailto:satoshih@jp.ibm.com Satoshi Hada/Japan/IBM@IB To: Seth Proctor <seth.proctor@sun.com> MJP cc: XACML TC <xacml@lists.oasis-open.org> Subject: Re: [xacml] Possible future XACML TC work 2003/02/14 01:33 >>I assume you're talking about different requests I'm not talking about different requests. >> the Target requirements from the two rules can always be combined Do you mean that we can always combine two rules with different targets but with the same effect and same condition into a single rule? How to combine the following two rules? <Condition id="c1"> <!-- the definition of "c1" --> A condition description is here. </Condition> <Rule RuleId="r1" Effect="Permit"> <Target> subject-id="Manager" AND action-id="write" </Target> <Condition ref="c1"> <!-- just a reference --> </Rule> <Rule RuleId="r2" Effect="Permit"> <Target> subject-id="Employee" AND action-id="read" </Target> <Condition ref="c1"> <!-- just a reference --> </Rule> ----------------------------------------------------- If the XACML schema allows a rule to have multiple conditions (combined by "AND" or "OR"). We can write a policy like this. <Condition id="c1"/> <Condition id="c2"/> <Condition id="c3"/> <Rule id="r1"> <Condition ref="c1"> <Condition ref="c2"> </Rule> <Rule id="r2"> <Condition ref="c2"> <Condition ref="c3"> </Rule> In this case, the evaluation result of "c2" can be reused. My point is that the condition specification in rules can be composable by defining conditions outside rules and referencing the defined conditions from rules. I think such a composable feature would be useful for the cache of condition evaluation results. Satoshi Hada IBM Tokyo Research Laboratory mailto:satoshih@jp.ibm.com Seth Proctor <seth.proctor@sun To: Satoshi Hada/Japan/IBM@IBMJP .com> cc: Michiharu Kudoh/Japan/IBM@IBMJP, XACML TC <xacml@lists.oasis-open.org> Subject: Re: [xacml] Possible future XACML TC work 2003/02/14 00:46 > <Condition id="c1"> <!-- the definition of "c1" --> > A condition description is here. > </Condition> > <Rule id="r1"> > <Condition ref="c1"> <!-- just a reference --> > </Rule> > <Rule id="r2"> > <Condition ref="c1"> <!-- just a reference --> > </Rule> Per my last email, I assume you're talking about different requests, since this policy doesn't seem all that useful to me. If two rules have the same condition, then why have two rules? There's no real value that I can see in writing a policy like this unless you want different Target requirments, but the Target requirements from the two rules can always be combined (unless you want different Effects, but again I don't see why you form a Policy like that). Maybe I just need a more concrete example... seth ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC