RE: [xacml] [Issue] How many resourceIds in request context?

["Daniel Engovatov" <dengovatov@bea.com>]

Scoped request is only one kind of a request.  Requiring to provide a special “dummy” value in the context to accommodate for that is a pretty ugly limitation in my opinion, especially as we do not define in any form what “hierarchical” really means – leaving the structure of resource outside of specification.  

I think that for such requests what “resource” is should be inferred from the context (which may, or may not contain any specific attributes) and if any hierarchical relationship is declared in any form, they should be used.

I would think that a requirement for strict and unique identification of “resource” and unduly burdensome and shall not be needed.  I will try to propose how it can be avoided.

 

Daniel.

 

 

 

-----Original Message-----
From: Satoshi Hada [mailto:SATOSHIH@jp.ibm.com]
Sent: Monday, January 05, 2004 6:09 PM
To: XACML
Subject: RE: [xacml] [Issue] How many resourceIds in request context?

 

>> It should not be required

I think it should be required to clarify how to process a hierarchical resource and the "scope" attribute.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com

"Daniel Engovatov" <dengovatov@bea.com>

2004/01/06 11:02

To	Satoshi Hada/Japan/IBM@IBMJP, "XACML" <xacml@lists.oasis-open.org>
cc
Subject	RE: [xacml] [Issue] How many resourceIds in request context?

 

Ouch.  This is bad.  This is real bad.  I did not notice this sentence.  It should not be required.   Will think on what interpretation I can suggest instead.
Daniel.

Also, Section 7.8 says that if the "scope" value is "Immediate"
or omitted, the request SHALL be interpreted to apply to
just the single resource specified by the "resource-id"
attribute.
I think this description implies that
there must be one and only one "resource-id" attribute
in any request context.