[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc uploaded
+1 Hal > -----Original Message----- > From: Steven Legg [mailto:steven.legg@viewds.com] > Sent: Thursday, January 30, 2014 12:05 AM > To: Mohammad Jafari > Cc: Erik Rissanen; xacml@lists.oasis-open.org > Subject: Re: [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc > uploaded > > > Hi Mohammad, > > On 22/01/2014 3:00 PM, Mohammad Jafari wrote: > > Thanks Erik. > > > > I am wondering if the work on Nested and Related Entities can > influence this profile. > > Probably not. Insofar as they overlap, I think the entities profile and > the hierarchical profile should be considered to be alternative > approaches to the same problem space, with some notable differences. > > > It seems to me that "hierarchies" can be considered special cases of > "related entities". > > Related entities can form an arbitrary graph, of which the hierarchies > defined by the hierarchical profile are a special case. Trees can also > be represented by nested entities. > > Here are the differences as I see them. > > From the perspective of the entities profile, the resource-parent, > resource-ancestor and resource-ancestor-or-self attributes are > flattened attributes. They flatten the resource-id attributes of the > ancestor nodes into the resource category. This is the only information > from the ancestor nodes of non-XML hierarchies that can be tested by an > XACML policy using the hierarchical profile. Additional flattened > attributes could be defined, but that would introduce the correlation > issues inherent to the use of flattened attributes. The entities > profile allows any attributes of related nodes to be tested by explicit > reference to the links between nodes. > > Those explicit references are a limitation compared to the hierarchies > profile in that the resource-ancestor and resource-ancestor-or-self > attributes are defined by the transitive closure of the child-parent > relationship, but the entities profile doesn't address transitive > closure. > > A hierarchy represented as an XML document could also be represented by > nested entities. The content-selector attribute has been defined by the > hierarchical profile to select the node in the hierarchy that is the > resource. > I haven't defined anything like that in the entities profile. The > content-selector attribute uses XPath expressions. The analogue for > nested entities would be an XACML expression, which would be a new > data-type. I don't think that is worth doing since the situation can be > handled with related entities instead of nested entities; the resource > category <Attributes> element would contain the resource node and the > higher and lower nodes in the hierarchy would be in other <Attributes> > elements (i.e., other entities) linked by URI values. > > In all, I don't see a need to change the hierarchical profile because > of the entities profile. There is perhaps something that the multiple > decision profile could say about a request for multiple decisions > involving multiple entities, but that could be defined in the entities > profile instead, if at all. > > Regards, > Steven > > > > > This might be something we can think about and discuss at the next TC > call. > > > > Regards, > > > > Mohammad Jafari, Ph.D. > > > > Security Architect, Edmond Scientific Company > > > > *From:*xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] > > *On Behalf Of *Erik Rissanen > > *Sent:* Tuesday, January 21, 2014 9:48 AM > > *To:* xacml@lists.oasis-open.org > > *Subject:* [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc > > uploaded > > > > /Submitter's message/ > > Updates the hierarchical profile to the current OASIS document > template. There are no changes in the content, except to fit the new > template and: > > > > - I added a subsection 1.1 to make it clear that the non-normative > statement only applies to it, not the rest of section 1. > > - Changed incorrect reference to RFC2396 to the correct RFC3986 > > - I had forgot to specify Rich as a co-editor when I requested the > > template, so I added him (I hope this does not break any TC admin > > metadata tracking) > > - I did a search for glossary terms and ended up marking some which > were not highlighted in the previous version. > > - I fixed a few minor typos which I found. > > > > -- Erik Rissanen > > > > *Document Name*: xacml-3.0-hierarchical-v1.0-wd14.doc > > <https://www.oasis- > open.org/apps/org/workgroup/xacml/document.php?docu > > ment_id=52014> > > > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > -------- > -- > > > > No description provided. > > Download Latest Revision > > <https://www.oasis- > open.org/apps/org/workgroup/xacml/download.php/5201 > > 4/latest/xacml-3.0-hierarchical-v1.0-wd14.doc> > > Public Download Link > > <https://www.oasis- > open.org/committees/document.php?document_id=52014& > > wg_abbrev=xacml> > > > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > -------- > -- > > > > *Submitter*: Erik Rissanen > > *Group*: OASIS eXtensible Access Control Markup Language (XACML) TC > > *Folder*: Specifications and Working Drafts *Date submitted*: > > 2014-01-21 08:47:38 > > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]