Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

[Erik Rissanen <erik@axiomatics.com>]

Ok, thanks Rich.

I can edit it in, but I still would like to keep it non-normative. If we 
make it normative, we have two normative specifications for the same 
thing: 1) The current textual description, 2) the pseudo code. I prefer 
that the textual description is the normative one.

Best regards,
Erik

Rich.Levinson wrote:
> Hi Erik,
>
> Ok, I agree your update was to WD 7, I misread something and was 
> mistaken.
>
> I am fine if you want to do the changes to WD 8 and make a WD 9. The 
> only change is the addition of section 3.3.1 (also, please change the 
> line in p-code that says: collectAncestorNodes() to 
> collectAncestorNodes(int iRes) - I forgot the parameter). If you 
> prefer, I can do the update myself based on your WD 8.
>
> I pointed out in the notes following the p-code that the multi-parent 
> (DAG) case can be handled with an enhancement.
>
> I am considering doing an update w that enhancement, for full 
> generality, however, what is currently there, in principle, 
> theoretically could work with a DAG expanded to single parent 
> hierarchies, but I do not want to incorporate that capability in that 
> manner as it is overly verbose and could lead to unnecessary confusion.
>
> The alternative is a slightly more sophisticated recursive algorithm 
> to handle the DAG as a minimum width set of columns, where the min is 
> equal to number of parents in the node(s) of the DAG that has the 
> maximum number of parents compared to any other nodes in the DAG.
>
> The fact that it is modeled as an array, imo, does not make it less 
> general since any concrete hierarchy or DAG can be mapped to this 
> array model. I chose this approach, because I consider it easy to 
> understand: each row represents a resource, and the row contains 
> entries for the hierarchies in which the resource can be a member. If 
> the value in an element of the row is zero, the resource is not a 
> member of that hierarchy. Basically, the row can be considered to 
> contain the list of memberships in the organization's hierarchies that 
> this particular resource participates in, where a membership is 
> indicated by a non-zero value identifying the row number of the 
> resource's parent in that hierarchy. For DAGs, row zero, will contain 
> DAG-ids and all columns with the same DAG-id are are in the same DAG. 
> If DAG-id is zero, then the column is a single parent hierarchy.
>
>    Thanks,
>    Rich
>
>
> Erik Rissanen wrote:
>> Hi Rich,
>>
>> I can do the wd 9 by merging in the things from your document into my 
>> wd 8 which contains many changes based on the OASIS checklist. And my 
>> wd 8 is based on the WD 7 posted by Hal and does have the changes 
>> made by him.
>>
>> What I mean is that the pseudo code works only if one has ones 
>> hierarchy stored as an array in that particular format. Another 
>> problem with the pseudo code is that it assumes that each node only 
>> has one parent, which is a limitation compared to what the profile 
>> can apply to.
>>
>> And, in the end, I don't think pseudo code contributes much in this 
>> case. I think it is clear enough already that the attribute 
>> "ancestors" will contain ancestors, the attribute "parents" will 
>> contain parents, and so on.
>>
>> Best regards,
>> Erik
>>
>> Rich.Levinson wrote:
>>> Hi Erik,
>>>
>>> I can issue a WD 9. However, I checked the .zip file and that has a 
>>> WD 8 that was created based on WD 6, which means that the changes 
>>> Hal made in WD 7 are missing. So, I will hold off until you advise 
>>> about what is to happen to the WD 7 changes:
>>> http://lists.oasis-open.org/archives/xacml/200904/msg00000.html
>>>
>>> On the subject of the p-code, I believe the array representation is 
>>> fully general in that any set of hierarchies can be represented in 
>>> the arrays as shown. i.e. there are N resources total and M 
>>> hierarchies defined on the resources. Each column represents one 
>>> hierarchy.
>>>
>>> As indicated the case of DAG can be handled by allocating as many 
>>> columns as necessary so that the number of columns is equal to the 
>>> width corresponding to the max # of parents any node in the DAG has. 
>>> There is then room for the parents of any node so one then just 
>>> lists all parents of each node in the DAG in slots within the row 
>>> allocated to the DAG.
>>>
>>> This model is not intended to represent a suggested implementation, 
>>> however, it is designed to be fully general to accommodate any 
>>> collection of resources which is organized with any set of 
>>> hierarchies or DAGs applied to it.
>>>
>>> i.e. it is not intended to be an example, it is a general model with 
>>> which any example can be represented.
>>>
>>>    Thanks,
>>>    Rich
>>>
>>>
>>> Erik Rissanen wrote:
>>>> Hi Rich and all,
>>>>
>>>> To avoid any confusion, I would just point out there are now two 
>>>> different wd 8 out there. The other is in the zip file which I 
>>>> posted yesterday. That one contains editorial cleanups.
>>>>
>>>> I think the pseudocode should be non-normative and considered an 
>>>> example only because this pseudocode applies only to those cases 
>>>> where the resource hierarchies are stored in arrays like that.
>>>>
>>>> Best regards,
>>>> Erik
>>>>
>>>> rich.levinson@oracle.com wrote:
>>>>> Proposed revision to Hierarchical Resource Profile, which adds 
>>>>> section
>>>>> 3.3.1, which contains p-code, which is asserted to represent the 
>>>>> problem as
>>>>> described in section 3.3 from WD 7. It is expected that by 
>>>>> utilizing p-code
>>>>> we can reduce possible ambiguities in the interpretation of the text
>>>>> descriptions as has worked for other detailed XACML areas. Note: 
>>>>> details
>>>>> for DAG processing which would be enhancement within the proposed 
>>>>> algorithm
>>>>> have been sketched after the main algorithm, which could readily 
>>>>> be added
>>>>> if TC believes necessary.
>>>>>
>>>>>  -- Rich Levinson
>>>>>
>>>>> The document named Hierarchical Resource Profile WD 8
>>>>> (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been 
>>>>> submitted by
>>>>> Rich Levinson to the OASIS eXtensible Access Control Markup Language
>>>>> (XACML) TC document repository.
>>>>>
>>>>> Document Description:
>>>>> XACML Hierarchical Resource Profile
>>>>> View Document Details:
>>>>> http://www.oasis-open.org/committees/document.php?document_id=31950
>>>>>
>>>>> Download Document:  
>>>>> http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc 
>>>>>
>>>>>
>>>>>
>>>>> PLEASE NOTE:  If the above links do not work for you, your email 
>>>>> application
>>>>> may be breaking the link into two pieces.  You may be able to copy 
>>>>> and paste
>>>>> the entire link address into the address field of your web browser.
>>>>>
>>>>> -OASIS Open Administration
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php