[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Moving ahead with 3.0
Rich Levinson wrote: > > It seems to me, although I haven't gotten to all the details yet, that > a lot > of what you say is valuable about admin and WS-XACML could be > had building as profiles and adjuncts to 2.0. Is there a reason why these > core changes are tied to those items? The admin policies (aka delegation) were initially designed on top of the old 2.0 schema with subject/resource/etc. We decided to generalize the schema to attribute categories because of three reasons: 1. In our discussions someone, I don't remember who, said that there had been requests from users who did not like to be tied to the fixed existing categories. They felt their applications mapped better to other categories. 2. Delegation requires a new category for attributes, the Delegate. We also had an IndirectDelegate at the time, but this was removed because of computational complexity issues in the delegation model. It was felt that since we need to introduce a couple of new categories now, we might as well go ahead and move the categories from the XML schema into URIs so we could ad more categories in the future if needed by yet unknown features. 3. The initial implementation of delegation on top of the 2.0 schema lead to some technical difficulties regarding the distinction between administrative policies and access policies. Since both used the same attribute categories we needed to differentiate between the two types of policies by other means, such as the presence of a Delegate category in the target. This lead to problems since it was not possible to write targets matching any delegate, unless additional special constructs were introduced in the target. All these issues were solved by putting administrative requests in their own attribute categories, as permitted by the generalized schema. In other words, delegation is easier to implement on top of the general schema. As it happened, 1 and 2 preceded 3 in the discussion and technical work. (We didn't realize that delegation became easier until after we moved to general categories.) I think now is a better time to make this change rather than later. The more 2.0 deployments there are, the harder it will be to do the change in the future. The general categories allow for considerable flexibility for the future without the need of schema breaking changes. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]