OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] resource model in xacml policy. (item 42)





Hi, Simon

I am not clear on what you wanted to say.

>Resource model is not described in xacml, but must be defined
>elsewhere in descriptive language.
> ...
>To make policy consistent with resource model, resource model
>must be declared in the xacml policy (rule combiner alg ?) and
>defined in resource specific profile of xacml.

So your suggestion is to support resource model definition in
XACML 2.0?

>Syntactic expressions over resource hierarchy making rules
>applicable to subtree (as opposed to one node) is not a
>substitute to the property of rule propogation, but syntactic shortcut.

Do you mean that function like xpath-node-match corresponds to a
syntactic shortcut?

>One aspect of resource model is permission implication.

In my opinion, permission implication is a minor aspect in the resource
model semantics. The major aspect is resource hierarchy, right?

Michiharu



                                                                           
             "Simon Godik"                                                 
             <simon.godik@over                                             
             xeer.com>                                                  To 
                                       <xacml@lists.oasis-open.org>        
             2004/01/22 17:34                                           cc 
                                                                           
                                                                   Subject 
                                       [xacml] resource model in xacml     
                                       policy.  (item 42)                  
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Resource model in xacml proposal.

If policy writer assumes resource model and subsequently uses model
specific resource expressions that require resource instance for
evaluation, resource instance must be made available in the request
context. Resource model is not described in xacml, but must be defined
elsewhere in descriptive language.

One aspect of resource model is permission implication. For example, "read"
permission may require "search" permission, and "write" permission may
imply "read" permission. All these details must be spelled out in the
resource model description. Pdp must be aware of resource model and use it
in solving authorization query.

When resource is hierarchial, permission propogation up and down resource
hierarchy must be described. Syntactic expressions over resource hierarchy
making rules applicable to subtree (as opposed to one node) is not a
substitute to the property of rule propogation, but syntactic shortcut.
Resource model semantics must specify permission propogation.

To make policy consistent with resource model, resource model must be
declared in the xacml policy (rule combiner alg ?) and defined in resource
specific profile of xacml.

Simon

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]