[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Combining Algorithms & the Hierarchical Resource profile
Hi Ray,
I think what you are describing is the difference between default = deny (everything denied unless permitted) vs default = permit (everything permitted unless denied).
This can usually be accomplished by having permit-overrides combining alg with a final rule of deny (default=deny) vs having a deny-overrides combining alg with a final rule of permit (default=permit).
This appears to me to be an orthogonal property wrt hierarchical traversal.
Thanks,
Rich
On 9/6/2011 1:22 AM, remon.sinnema@emc.com wrote:
> Rich,
>
>
>> -----Original Message-----
>> From: rich levinson [mailto:rich.levinson@oracle.com]
>> Sent: Monday, September 05, 2011 11:30 PM
>> To: xacml@lists.oasis-open.org
>> Subject: Re: [xacml] Combining Algorithms& the Hierarchical Resource
>> profile
>>
>> Hi Ray,
>>
>> I think your question may be a bit outside the scope of the
>> hierarchical profile for the following reason.
>>
>> You have defined 2 independent rules, Rule-A and Rule-D that identify
>> separate resources.
>>
>> Since when one traverses the hierarchy, one first encounters node A, it
>> would seem that should take precedence before continuing the path to
>> node D. i.e. if rejected at node A, you are done, if accepted then you
>> get to try node D.
> If my example resources are file system directories, and the action is write, then I hope this is not the case. No OS should allow me to write in the root, but I certainly should be able to write in my home directory.
>
>
>> A lot depends on how you construct the Policy. If you used ordered
>> rule-combining then you could place either rule first to achieve
>> whichever effect you preferred.
> I guess. I'm not a big fan of rule ordering, though. It just seems fragile.
>
>
>> The hierarchical profile is primarily about how to represent the nodes
>> in a hierarchy and addresses a variety of common use cases. It builds
>> on top of the Multiple profile and the core spec, so it is expected
>> that one would use the node representations in that context.
>>
>> If there is another specific context that you have in mind, I would be
>> interested to learn more about it. The use case you have described does
>> not seem to me to have any particular motivation except trying to
>> define some precedence order for applying the Rules which I do not
>> quite understand.
> I think that in many cases the precedence order follows quite naturally from the hierarchy, either top overrides as in your example, or bottom overrides as in mine. That's why I expected the Hierarchical Resource profile to define some CAs that implement such precedence.
>
>
> Thanks,
> Ray
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]