OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

Hi Erik,

I have just submitted version "8b", which I recommend that you edit in 
instead of the version "8a" posted yesterday. This version includes the 
DAGs using a recursive ancestor collector, which operates on both 
hierarchies and DAGs.

I agree that we can include it as "non-normative" because I realize that 
people will need time to review it, and it will probably take some time 
before there is general agreement (if we, in fact, ever do reach that 
point) that the algorithm as specified, or some variant thereof, 
accurately represents the general problem being addressed by the 
profile. Regardless, I think the algorithm is instructive, and adds 
useful cognitive information to the spec, and, personally, I find it 
conceptually essential in order to fully understand what the specifics 
of the profile actually mean.

    Thanks,
    Rich


Erik Rissanen wrote:
> Ok, thanks Rich.
>
> I can edit it in, but I still would like to keep it non-normative. If 
> we make it normative, we have two normative specifications for the 
> same thing: 1) The current textual description, 2) the pseudo code. I 
> prefer that the textual description is the normative one.
>
> Best regards,
> Erik
>
> Rich.Levinson wrote:
>> Hi Erik,
>>
>> Ok, I agree your update was to WD 7, I misread something and was 
>> mistaken.
>>
>> I am fine if you want to do the changes to WD 8 and make a WD 9. The 
>> only change is the addition of section 3.3.1 (also, please change the 
>> line in p-code that says: collectAncestorNodes() to 
>> collectAncestorNodes(int iRes) - I forgot the parameter). If you 
>> prefer, I can do the update myself based on your WD 8.
>>
>> I pointed out in the notes following the p-code that the multi-parent 
>> (DAG) case can be handled with an enhancement.
>>
>> I am considering doing an update w that enhancement, for full 
>> generality, however, what is currently there, in principle, 
>> theoretically could work with a DAG expanded to single parent 
>> hierarchies, but I do not want to incorporate that capability in that 
>> manner as it is overly verbose and could lead to unnecessary confusion.
>>
>> The alternative is a slightly more sophisticated recursive algorithm 
>> to handle the DAG as a minimum width set of columns, where the min is 
>> equal to number of parents in the node(s) of the DAG that has the 
>> maximum number of parents compared to any other nodes in the DAG.
>>
>> The fact that it is modeled as an array, imo, does not make it less 
>> general since any concrete hierarchy or DAG can be mapped to this 
>> array model. I chose this approach, because I consider it easy to 
>> understand: each row represents a resource, and the row contains 
>> entries for the hierarchies in which the resource can be a member. If 
>> the value in an element of the row is zero, the resource is not a 
>> member of that hierarchy. Basically, the row can be considered to 
>> contain the list of memberships in the organization's hierarchies 
>> that this particular resource participates in, where a membership is 
>> indicated by a non-zero value identifying the row number of the 
>> resource's parent in that hierarchy. For DAGs, row zero, will contain 
>> DAG-ids and all columns with the same DAG-id are are in the same DAG. 
>> If DAG-id is zero, then the column is a single parent hierarchy.
>>
>>    Thanks,
>>    Rich
>>
>>
>> Erik Rissanen wrote:
>>> Hi Rich,
>>>
>>> I can do the wd 9 by merging in the things from your document into 
>>> my wd 8 which contains many changes based on the OASIS checklist. 
>>> And my wd 8 is based on the WD 7 posted by Hal and does have the 
>>> changes made by him.
>>>
>>> What I mean is that the pseudo code works only if one has ones 
>>> hierarchy stored as an array in that particular format. Another 
>>> problem with the pseudo code is that it assumes that each node only 
>>> has one parent, which is a limitation compared to what the profile 
>>> can apply to.
>>>
>>> And, in the end, I don't think pseudo code contributes much in this 
>>> case. I think it is clear enough already that the attribute 
>>> "ancestors" will contain ancestors, the attribute "parents" will 
>>> contain parents, and so on.
>>>
>>> Best regards,
>>> Erik
>>>
>>> Rich.Levinson wrote:
>>>> Hi Erik,
>>>>
>>>> I can issue a WD 9. However, I checked the .zip file and that has a 
>>>> WD 8 that was created based on WD 6, which means that the changes 
>>>> Hal made in WD 7 are missing. So, I will hold off until you advise 
>>>> about what is to happen to the WD 7 changes:
>>>> http://lists.oasis-open.org/archives/xacml/200904/msg00000.html
>>>>
>>>> On the subject of the p-code, I believe the array representation is 
>>>> fully general in that any set of hierarchies can be represented in 
>>>> the arrays as shown. i.e. there are N resources total and M 
>>>> hierarchies defined on the resources. Each column represents one 
>>>> hierarchy.
>>>>
>>>> As indicated the case of DAG can be handled by allocating as many 
>>>> columns as necessary so that the number of columns is equal to the 
>>>> width corresponding to the max # of parents any node in the DAG 
>>>> has. There is then room for the parents of any node so one then 
>>>> just lists all parents of each node in the DAG in slots within the 
>>>> row allocated to the DAG.
>>>>
>>>> This model is not intended to represent a suggested implementation, 
>>>> however, it is designed to be fully general to accommodate any 
>>>> collection of resources which is organized with any set of 
>>>> hierarchies or DAGs applied to it.
>>>>
>>>> i.e. it is not intended to be an example, it is a general model 
>>>> with which any example can be represented.
>>>>
>>>>    Thanks,
>>>>    Rich
>>>>
>>>>
>>>> Erik Rissanen wrote:
>>>>> Hi Rich and all,
>>>>>
>>>>> To avoid any confusion, I would just point out there are now two 
>>>>> different wd 8 out there. The other is in the zip file which I 
>>>>> posted yesterday. That one contains editorial cleanups.
>>>>>
>>>>> I think the pseudocode should be non-normative and considered an 
>>>>> example only because this pseudocode applies only to those cases 
>>>>> where the resource hierarchies are stored in arrays like that.
>>>>>
>>>>> Best regards,
>>>>> Erik
>>>>>
>>>>> rich.levinson@oracle.com wrote:
>>>>>> Proposed revision to Hierarchical Resource Profile, which adds 
>>>>>> section
>>>>>> 3.3.1, which contains p-code, which is asserted to represent the 
>>>>>> problem as
>>>>>> described in section 3.3 from WD 7. It is expected that by 
>>>>>> utilizing p-code
>>>>>> we can reduce possible ambiguities in the interpretation of the text
>>>>>> descriptions as has worked for other detailed XACML areas. Note: 
>>>>>> details
>>>>>> for DAG processing which would be enhancement within the proposed 
>>>>>> algorithm
>>>>>> have been sketched after the main algorithm, which could readily 
>>>>>> be added
>>>>>> if TC believes necessary.
>>>>>>
>>>>>>  -- Rich Levinson
>>>>>>
>>>>>> The document named Hierarchical Resource Profile WD 8
>>>>>> (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been 
>>>>>> submitted by
>>>>>> Rich Levinson to the OASIS eXtensible Access Control Markup Language
>>>>>> (XACML) TC document repository.
>>>>>>
>>>>>> Document Description:
>>>>>> XACML Hierarchical Resource Profile
>>>>>> View Document Details:
>>>>>> http://www.oasis-open.org/committees/document.php?document_id=31950
>>>>>>
>>>>>> Download Document:  
>>>>>> http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc 
>>>>>>
>>>>>>
>>>>>>
>>>>>> PLEASE NOTE:  If the above links do not work for you, your email 
>>>>>> application
>>>>>> may be breaking the link into two pieces.  You may be able to 
>>>>>> copy and paste
>>>>>> the entire link address into the address field of your web browser.
>>>>>>
>>>>>> -OASIS Open Administration
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]