OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Decision required: Issue#70: Must Policy[Set]Id matchvalue used in a corresponding Policy[Set]IdReference?


In today's TC call I promised to capture a quick summary of the use-cases I
covered. Essentially, there are two main uses I have seen where reference
identifiers and policy identifiers don't match up:

  1. A policy is managed at a single point, but pushed to multiple PAPs
     for use. This may be because some PAPs are accessible only from
     specific domains, specific applications, etc. The PAPs provide the
     access to the same policy via different protocols (e.g., http, ldap,
     local filesystem, ebXML Registry, custom application, etc.). The
     policies that reference this policy all want to use different
     reference identifiers because they want to encode details of the
     resolution mechanism. For instance the three reference identifiers

       http://example.com/site/policies/global-policy.xml
       /net/server1/files/policies/gp1.xml
       svn://server1/site/policies/global.xml

     could point to the same policy. If the reference and policy identifiers
     must match, then this cannot be done. Instead, the referring policies
     must all use the same identifier, and their PDPs must each be configured
     to know how to do the mapping. This assumes, of course, that all
     references from a given PDP use the same protocol, and don't host
     policies that want to use different protocols in different scenarios.

  2. A policy is managed at a single point, but different entities or
     domains know this policy by different identifiers. This could be because
     of naming conventions (e.g., at Sun we call this the "corporate policy"
     but at Example.com they call it "legal policy") or for good object
     design reasons (i.e., I would like the same policy that represents
     mixed logic to be referenced by different names when a specific use
     is called out, like "site access" or "weekend access" referring to
     the same policy). This does not have the functional requirements of
     case 1, so it's just a naming and design issue that is impacted by
     requiring all reference and policy idetifiers to match.


seth

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]