[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Resource-location
|
Hi David, That’s an interesting use case you wrote below. Would you use string for the data-type in that case? I was thinking that the ipAddress, dnsName, and anyURI
data types would work well for this attribute too. Thanks for the info.
From: David Brossard [mailto:david.brossard@axiomatics.com]
Hi John, It sometimes makes sense to define where a resource is located. Imagine a purchase order (PO). A PO would have been issued in a given location e.g. Texas. You could then write a rule as follows: a user can view a purchase order if and only if user.location==resource.location. You can then use urn:oasis:names:tc:xacml:1.0:resource:resource-location to implement the resource location attribute. We have quite a few location-based access control use
cases here at Axiomatics that are like that. Cheers David. On Wed, Aug 7, 2013 at 5:35 PM, Tolbert, John W <john.w.tolbert@boeing.com> wrote: Hello, Questions for those who have created policies with resource attributes (from section 10.2.6 “Identifiers” in the core, p.97): Has anyone used the following identifier, and if so, for what purpose?: urn:oasis:names:tc:xacml:1.0:resource:resource-location
I am imagining a use case where one might want to direct/restrict certain user groups to specific network locations or environments.
Examples may include production / pre-production / development, or different views of the same resource for different user groups.
-- |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]