[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Rule References
Polar Humenn wrote: > Once rules incorporated referenced from outside the policy, it becomes > unwieldy, as you cannot specify the evaluation semantics of a policy in > the face of dynamically updating outside rules. it's not 'outside of the policy' so much as 'outside of the system' that i think causes the problems. this is a very appealing administrative feature; assume that you have rule that is used in a large number of policies: grant access X if Y where Y is some common condition like business hours. referential rules will allow you to change a single rule for numerous policies in one place. from a physical standpoint this greatly reduces the chance for typographical error and ensures consistency across all policies 'subscribed' to the rule. semantic definition is still possible, but it is limited to a 'closed system' (where updates to rules--or components of rules--stimulate the system to reevaluate affected polices). not sure if this [closed system] is a practical limitation, and it is unenforceable (particularly if defined as an URI). i find the overall concept attractive from an administration and policy storage perspective, but only as an implementation specific optimization mechanism. personally, i do it now for policy storage by *internally* indexing virtually all policy components; none of it is apparent to the XACML interface (not that it could handle it). what i think we need to consider is what XACML is defined to achieve. if it is simply a mechanism for the *interchage* of policy information then the integrity of the policy demands that all externally referenced information be fully disclosed at the time of transfer (excluding *static* references like specifications, standards, etc.) this then means that an additional mechanism for the full disclosure of external references must be defined or that the the contents of these references be incorporated into the policy in expanded form. neither is particularly appealing, so i would tend to agree that rule references are NOT practical in the scope of the XACML standard as i understand it. (the logic of which cascades down to conditions and obligations as well). b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]