[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] resource model in xacml policy. (item 42)
Hi, Simon I am not clear on what you wanted to say. >Resource model is not described in xacml, but must be defined >elsewhere in descriptive language. > ... >To make policy consistent with resource model, resource model >must be declared in the xacml policy (rule combiner alg ?) and >defined in resource specific profile of xacml. So your suggestion is to support resource model definition in XACML 2.0? >Syntactic expressions over resource hierarchy making rules >applicable to subtree (as opposed to one node) is not a >substitute to the property of rule propogation, but syntactic shortcut. Do you mean that function like xpath-node-match corresponds to a syntactic shortcut? >One aspect of resource model is permission implication. In my opinion, permission implication is a minor aspect in the resource model semantics. The major aspect is resource hierarchy, right? Michiharu "Simon Godik" <simon.godik@over xeer.com> To <xacml@lists.oasis-open.org> 2004/01/22 17:34 cc Subject [xacml] resource model in xacml policy. (item 42) Resource model in xacml proposal. If policy writer assumes resource model and subsequently uses model specific resource expressions that require resource instance for evaluation, resource instance must be made available in the request context. Resource model is not described in xacml, but must be defined elsewhere in descriptive language. One aspect of resource model is permission implication. For example, "read" permission may require "search" permission, and "write" permission may imply "read" permission. All these details must be spelled out in the resource model description. Pdp must be aware of resource model and use it in solving authorization query. When resource is hierarchial, permission propogation up and down resource hierarchy must be described. Syntactic expressions over resource hierarchy making rules applicable to subtree (as opposed to one node) is not a substitute to the property of rule propogation, but syntactic shortcut. Resource model semantics must specify permission propogation. To make policy consistent with resource model, resource model must be declared in the xacml policy (rule combiner alg ?) and defined in resource specific profile of xacml. Simon
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]