[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] WI#9 Proposal: policies referring to hierarchical resources
>3. Can we possibly be the first group to run up against this >problem? Why aren't there suitable XML schemas and functions >already available in some other standard? I have Google'd and >asked, but have not found anything so far. Definitely not the first, though I am also unaware on any relevant XML schema's designed. One problem with the proposed approach is that it assumes that structure of the resource hierarchy is not only well defined, but also well known when the policy is written. I think a more flexible approach would be to address the hierarchical policies using some well defined profile for resource attribute inheritance. That will not impose any particular rigid structure on customer's resources. An example of such approach would be to require the "resource-id" attribute to be a bag that includes some resource specific value and values of all "parent" resources. Then using some matching and bag operation one can target a rule to a variety of resource hierarchy subsets. That does not impose performance penalty by itself, as the "hierarchy" can be effectively reconstructed during policy compilation at the PDP. But that allows the policy author not to deal with a particular resource structure before the policy is actually used. Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]