[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] interior node <Result> elements for a hierarchy
On 11 May, Daniel Engovatov writes: RE: [xacml] interior node <Result> elements for a hierarchy > >I disagree. It is still possible for the PEP or Context Handler to > >provide a "resource-parent" Attribute for each immediate parent, > >and this can be used to generate predicates for "immediate > >children" of some given node. The fact that the representation > >of nodes is flattened does not mean that the PEP or Context > >Handler can't tell a parent from an ancestor. > > Sure - I do not argue with that at all. I was just trying to come up > with the minimal structure. There can be many more layers of complexity > on top of that. > > It seems to me that "ancestors" can be computed for essentially any > hierarchical structure, by "resource-parent" may not have such a > universal meaning. I know that I can not always organize resource in a > tree. The parents do not need to be in the same tree. If you can compute "ancestors", you can compute "parents". Example: aaa bbb /\ /\ / \ / \ ccc ddd eee /\ / \ fff ggg Both "aaa" and "bbb" are parents of "ddd", even though they are not in the same tree. There must be one "resource-parent" Attribute for each of them when "ddd" is the "resource-id". "aaa", "bbb", and "ddd" are "ancestors" of both "fff" and "ggg". There must be one "resource-ancestor" Attribute for each of them when "fff" or "ggg" is the "resource-id". We are now defining "hierarchical" as any "Directed Acyclic Graph", rather than being confined to "rooted DAG" (I think those are the correct terms). Your idea of using "resource-ancestor" lets us do that, which I think is nice. It solves your problem of having general DAGs (forests) in your environment, but still has well-defined, manageable semantics for rooted DAGs (trees). Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]