RE: [xacml] WI#9 Proposal: policies referring to hierarchical resources

[Anne.Anderson@sun.com]

>>The Request Context is notional.  It does NOT mean the PEP has to
>>translate the entire filesystem into an XML Hierarchy instance
>>and actually put it into the Request Context. 
>
>I am not talking about XML, but about making the resource structure p
>art
>of the policy, instead of being part of dynamic context.

In the model I am trying to support, the policy writer does not necessarily
know the resource structure, and it is not necessarily static.  The policy
writer knows that "any file in Anne's home directory subtree is readable by
Anne", but does not know all the files that might be in that subtree at the
time someone (maybe Anne) makes a request to read one of those files.

>>I am specifically addressing the problem of how to handle
>>tree-structured hierarchical resources.  How do you define a
>>"hierarchical resource"?
>
>Ordered graph? 
>
>>Many resources are organized in tree-structured hierarchies.
>
>The issue is whether you need to know the structure while writing pol
>icy
>and who owns that structure.
>
>I think that if we can define specification that addresses your use c
>ase
>while being more flexible, that would be a good thing, wouldn't it? :
>)

That would be fine, but I have not seen anything yet that meets those
criteria.  I am not persuaded by your arguments so far and you have
not provided enough information to see what your alternative specification
would look like.  Time is short - can you provide an outline of your
alternative soon?

Anne

>
>Daniel;
>
>