OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] interior node <Result> elements for a hierarchy


On 11 May, Daniel Engovatov writes: RE: [xacml] interior node <Result> elements for a hierarchy
 > >I disagree.  It is still possible for the PEP or Context Handler to
 > >provide a "resource-parent" Attribute for each immediate parent,
 > >and this can be used to generate predicates for "immediate
 > >children" of some given node.  The fact that the representation
 > >of nodes is flattened does not mean that the PEP or Context
 > >Handler can't tell a parent from an ancestor.
 > 
 > Sure - I do not argue with that at all.   I was just trying to come up
 > with the minimal structure.  There can be many more layers of complexity
 > on top of that.
 > 
 > It seems to me that "ancestors" can be computed for essentially any
 > hierarchical structure, by "resource-parent" may not have such a
 > universal meaning.   I know that I can not always organize resource in a
 > tree.

The parents do not need to be in the same tree.  If you can
compute "ancestors", you can compute "parents".  Example:

    aaa  bbb
    /\   /\
   /  \ /  \
 ccc  ddd  eee
      /\
     /  \
    fff ggg
       

Both "aaa" and "bbb" are parents of "ddd", even though they are
not in the same tree.  There must be one "resource-parent"
Attribute for each of them when "ddd" is the "resource-id".

"aaa", "bbb", and "ddd" are "ancestors" of both "fff" and "ggg".
There must be one "resource-ancestor" Attribute for each of them
when "fff" or "ggg" is the "resource-id".

We are now defining "hierarchical" as any "Directed Acyclic
Graph", rather than being confined to "rooted DAG" (I think those
are the correct terms).  Your idea of using "resource-ancestor"
lets us do that, which I think is nice.  It solves your problem
of having general DAGs (forests) in your environment, but still
has well-defined, manageable semantics for rooted DAGs (trees).

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]