Re: [xacml] Issue: Hierarchical profile appears ambiguous and inconsistent

[Daniel Engovatov <daniel@streamdynamics.com>]

On Feb 19, 2009, at 6:57 AM, Erik Rissanen wrote:

> All,
>
> I've been in a rush today, so I haven't followed every detail in  
> the discussion, but basically, here is how it appears to me:
>
> * The profile, as it stands today, does specify the limited URI  
> scheme which Rich describes. It says in section 2.2 that:
>
> --8<--
> The <pathname> portion of the URI SHALL be of the form
>
> <root name> [ “/” <node name> ]*
>
> The sequence of <root name> and <node name> values SHALL correspond  
> to the individual hierarchical component names of ancestors of the  
> represented node along the path from a <root> node to the  
> represented node.
> --8<--
>
> So it in fact says that the identifiers must consists of paths with  
> the names of the ancestors.
>
> * If I understand Daniel correctly, he says that each node should  
> be allowed to have a name which is entirely independent of the  
> other nodes in the hierarchy. Relations between the nodes are  
> maintained in a manner not specified by XACML and are expressed in  
> XACML Requests and policies in the form of the attributes resource- 
> parent, resource-ancestor, etc. I think that the more general  
> approach advocated by Daniel would be the correct way to go, so I  
> agree with him (and Seth I believe. :-))
>

Yes, in fact the URI identifiers are not needed at all.   Any opaque  
unique string will work just as well.  UUID works fine.

> * I also think as suggested on the XACML comments/users list that  
> the data type of the node identifier should not be limited to URIs  
> only.
>

It does not hurt to have a recommended form of UUID.   They just do  
not need to imply any hierarhy, as this is too restrictive.

> But I would prefer to leave major changes to the hierarchical  
> profile out of the first batch of CD documents.

Daniel;