RE: [xacml] F2F Agenda Topics

[<david.choy@emc.com>]

I have yet seen an enterprise that has a central admin for all access control policies in the 
Enterprise. A workgroup may administer access control policies for documents created by the workgroup. But then there may be divisional or corporate policies that govern internal documents. Retention, records management, legal hold are examples of use case. A workgroup may not be aware of all the corporate policies that are in place, and corporate may not be aware of all the policies created by all the workgroups in the company.

david

-----Original Message-----
From: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com] 
Sent: Friday, June 17, 2011 2:35 PM
To: Choy, David; bill@parducci.net; xacml@lists.oasis-open.org
Subject: RE: [xacml] F2F Agenda Topics

This sounds like a very strange business case, and I don't see how XACML
can help.

It does not appear to be a rational model for policy development if
independent groups are making rules concerning potentially overlapping
instances of subject/resource/action.  That is anarchy, not federation.

And even if some enterprises find it useful to develop policies that
way, the PDP implementation should allow specifying one of the existing
policy-combining algorithms (or a custom one) at the notional "root" of
the policy tree.

Regards,
--Paul

> -----Original Message-----
> From: david.choy@emc.com [mailto:david.choy@emc.com]
> Sent: Friday, June 17, 2011 15:38
> To: bill@parducci.net; xacml@lists.oasis-open.org
> Subject: RE: [xacml] F2F Agenda Topics
> 
> I'd like to add another topic to the agenda list: combining algorithm
> for a distributed admin environment.
> 
> Currently, combining algm is specified only within a container (a
> policy or a policy set). In an enterprise, policy admin is usually
> distributed among different organizational units, ranging from small
> workgroups to the corporate level. For a given decision request, there
> may be multiple applicable policies that are created by different
admin
> authorities. These policies may not know the existence of each other,
> and may not be encapsulated in a single policyset. We need a broader
> model for combining algm to resolve conflict in this case. I'll be
glad
> to give an example at the F2F.
> 
> David
> 
> -----Original Message-----
> From: Bill Parducci [mailto:bill@parducci.net]
> Sent: Friday, June 17, 2011 6:46 AM
> To: XACML TC
> Subject: [xacml] F2F Agenda Topics
> 
> With the F2f rapidly approaching, we need to start nailing down the
> agenda. In the past we have chunked up the discussion topics so that
we
> can make sure to cover as many of them as possible, while driving the
> largest/most difficult issues to completion as the primary driver. To
> that end I would like to propose that we again break the days in half
> thus and then dissect from there as needed:
> 
>  Tuesday 8-12
>  Tuesday 1-5
>  Wednesday 8-12
>  Wednesday 1-5
>  Thursday 8-12
> 
> Below is a non-exhaustive list of open issues.
> 
>   Attribute Predicate
>   BTG
>   PIP Directive
>   JSON Profile
>   Obligation/Advice Combining
>   PAP Interface
>   RSA Interop
>   "Web Friendly" Policy Ids
>   "Sticky" Policies
>   XACML Metadata Schema
> 
> I suggest that we begin by fleshing out this list, then prioritize and
> schedule those topics that have the most interest and will have
> champions in attendance. My goal is to have a candidate agenda for the
> TC call next Thursday so please take a few moments to chime in with
> your thoughts.
> 
> thanks
> 
> b
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php