OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] [Issue] How many resourceIds in request context?



>> Why a rule without “resource-id” can not be processed?

My comment is NOT about a rule, but about a request context.

I thought Section 7.8 (of XACML1.0 and 1.1) means that:
if a request context specifies the "scope" attribute, and
if the "scope" value is either "Children" or "Descendants",
we need to list all the child or descendant resources of
the target resource identified by the "resource-id" attribute,
and make an access decision for each of them.

I thought Section 7.8 means that
there must be one and only one "resource-id" attribute
in the request context in order to process the "scope"
attribute and list all the child or descendant resources.

Do you mean that you can list them without knowing
the "resource-id" attribute?
It may be possible, but I don't think it conforms to
the description of Section 7.8.

Also, Section 7.8 says that if the "scope" value is "Immediate"
or omitted, the request SHALL be interpreted to apply to
just the single resource specified by the "resource-id"
attribute.
I think this description implies that
there must be one and only one "resource-id" attribute
in any request context.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com



"Daniel Engovatov" <dengovatov@bea.com>

2004/01/06 10:09

To
Satoshi Hada/Japan/IBM@IBMJP, "XACML" <xacml@lists.oasis-open.org>
cc
Subject
RE: [xacml] [Issue] How many resourceIds in request context?





Why?   Why a rule without “resource-id” can not be processed?   If a particular point in the context defines hierarchical relationship, it can be inferred from the context.   Rules do not need to contain that information.
 
What if the resource is defined as a collection of name-value pairs, none of them having any special meaning?
What if you use multiple resources at the same time?  What if there are no resources?
 
Example:
Rule “Allow Joe to ENTER” – for each case when action ENTER is defined, Joe is allowed – quite a normal rule.  Request is made – “Can Joe enter building A”  If “Building A” defines a hieratical structure (“sector B” being one child) response may be: “Joe may enter building A” and “Joe may enter building B”).  This can be inferred from the context.  If one want s to write a rule that apply to a hierarchy of objects – that still can be done using resource structure mapped into the XML document.   But there is no need to restrict general rule by requiring any particular attributes to be present.
 
As far as indexing goes – requirement for easy indexing is that the attribute and operation used for indexing is efficient.  Nothing else is needed.
 
Daniel.
 
 
-----Original Message-----
From:
Satoshi Hada [mailto:SATOSHIH@jp.ibm.com]
Sent:
Monday, January 05, 2004 4:25 PM
To:
'XACML'
Subject:
Re: [xacml] [Issue] How many resourceIds in request context?

 


>> Part of the motivation for requiring "one and only one" was based
>> on the need to index on something that would always be present.


One comment (based on Section 7.8 Hierarchical resources):


The following may be another motivation.


When a request context specifies a "scope" attribute,

I think that one and only one "resource-id" attribute
must be specified. Otherwise, we cannot process
the "scope" attribute.


In this sense, "resource-id" is special and
different from any other attributes.


Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com

Anne Anderson <Anne.Anderson@Sun.COM>

2004/01/06 04:02


Please respond to
Anne.Anderson


To
"'XACML'" <xacml@lists.oasis-open.org>
cc
 
Subject
Re: [xacml] [Issue] How many resourceIds in request context?

 


   





On 5 January, Seth Proctor writes: Re: [xacml] [Issue] How many resourceIds in request context?
> On Mon, 2004-01-05 at 11:33, Anne Anderson wrote:
> > Some people, including Hal and, I think, Seth, believe that there
> > absolutely must be one and only one resource-id attribute.  The
> > reasoning is that any Request must at least specify the
> > resource-id in order to know what is being accessed.
>
> I don't know why you think I have such a strong opinion on this. I don't
> think I've ever weighed in on this matter. I do believe that the spec
> currently requires a valid Request to contain exactly one resource-id
> attribute, so that requirement is in my open source project.

I stand corrected.  Seth convinced me that the spec currently
does require at least one resource-id, but he never stated an
opinion on whether that was goodness or not.

> > I disagree with this view.  I believe a resource could be
> > described via attributes other than its resource-id.  For
> > example, a Request could ask for access to a resource that has a
> > security label of "Top Secret".  The policy may not care what the
> > resource-id is, but is willing to grant or deny access based on
> > whether the Subject has a corresponding security clearance
> > attribute.

Part of the motivation for requiring "one and only one" was based
on the need to index on something that would always be present.
If we accept, however, that there are valid cases where policy is
based on resource attributes other than resource-id, then an
implementation that supplies its own default dummy resource-id
(when none is present) will be more robust than one that depends
on each application to provide the correct dummy value.

Anne
--
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]