Re: [xacml] Issues 63, 71 and 77

[Anne Anderson - Sun Microsystems <Anne.Anderson@sun.com>]

Use cases come up where the requester has a group of subjects and a 
group of resources, and needs to find out which of those subjects can 
access which of those resources, or where there is a group of resources 
and a group of actions, and the requester needs to know which of those 
actions the subject can perform on which of those resources.  The 
requester can submit a separate Request for each combination, but it 
would save bandwidth to send a single Request that is expanded on the 
PDP side.

This can come up in practice with the sorts of applications that present 
different menus to different user roles depending on the tasks they want 
to perform.  Assume the policies are updated between midnight and 1am 
every night, and no access is allowed during that time.  The application 
can be optimized to determine the allowed combinations at 1am every 
morning rather than on each individual user access.

Implementations could place limits on the maximum number of combinations 
if necessary.  This limit could be included in the PDP metadata.

Regards,
Anne

Erik Rissanen wrote:
> Anne Anderson - Sun Microsystems wrote:
> 
>>>If there are two or more categories which are repeated, then it is an
>>>error.
>>
>>Alternatively, we could say that the cross product of the combinations
>>will be created, and each evaluated as a separate request.  Using
>>simpler syntax just to illustrate:
> 
> 
> Yes, I thought about this as well, but I couldn't think of any
> meaningful use cases to it. My concern with the cross products is that
> the amount of work and the size of the output increase exponentially,
> meaning that it opens up a vulnerability for DoS attacks.
> 
> Regards,
> Erik
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692