OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft


On 15 July, Bill Parducci writes: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
 > Anne Anderson wrote:
 > > What if the policy also contains a Deny rule denying everyone
 > > except the patient access to the <Diagnosis> node alone?  In that
 > > case, if the request comes in asking for the entire document, the
 > > Deny rule that applies to requests for that individual node would
 > > not apply, and access to the entire document (including the
 > > <Diagnosis> node) would be granted to the physician or an
 > > administrator.
 > 
 > that comes back to my previous point: i think it is unlikely that there 
 > will be field level granularity of access policy without equivalent 
 > enforcement. it seems illogical to me that you would have a policy 
 > writer exclude field level information when enforcement is document 
 > level. the net effect is the same when applied, it is simply a 
 > multiplication of rule maintenance.
 > 
 > example:
 > 
 > consider a document, X, with three components: A, B & C
 > 
 > IF the access control mechanism is at the *document* level, then:
 > 
 > deny bill to see X:B
 > 
 > is equivalent to
 > 
 > deny bill X
 > 
 > am i missing something?
 > 
 > the only place that i can see that this will be of value is if there are 
 > resources that are protected *both* by policies that allow field level 
 > access as well as whole document access (*enforcement* is different). is 
 > this the case we are trying to solve?

Yes.

 > if so, i personally see that as unlikely. my vote is for D: a hierarchy 
 > is a special collection of resources that we operate on individually; i 
 > suggest that we do not operate on the container itself.

That is what the Profile currently specifies.  It is always
possible for a given environment to agree between Policy
Authorities and PEPs that certain resources will be treated
differently.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]