Thanks for the comments. I have been sidelined for a few days so please excuse the delay in responding.
Also, I do not see your message posted on the iam-discuss list, so I hope that by cc'ing the list here both your comment and this message will appear there . . . (Did you get any error from the listserv when you sent your message?)
| Jun 3 (6 days ago) | |||
| ||||
Comment:
Data tagging is mentioned in section (1)(b) Statement of Purpose. Will data tagging be included in the IAM ecosystem outlined in this proposal?
Suggested change:
Provide guidance on data tagging best practices as a non-normative deliverable to help potential implementers understand how it can be used.
Rationale for suggested change:
Data tagging is a useful technique for providing resource metadata attributes to ABAC systems, yet there is little to no guidance or standardization of its use. OASIS XACML TC profiles for export control, intellectual property and data-loss prevention could be used to demonstrate its use.
-------------
So, here's my reaction to your comment: :
John and I certainly agree that data tagging should be part of the overall framework. At the same time, AFAIK, there are not general standards or consensus best-practices in place for either data-object-level tagging with access-relevant attributes, or for how policy engines (PDPs) access those attributes for various data types (documents, relational DBs, etc.)
If that's an accurate assessment, then specifying data tagging standards normatively would be out of scope for this TC, since we are not proposing to develop new IAM-component standards, but rather to show how existing ones can fit together to satisfy major business use-cases.
So, including this area in non-normative work of the TC is the logical answer, as you suggest. In addition to suggesting "best practices" for tagging and referencing the IP and Export Control profiles, we should include data tagging in a non-normative "capability gap" report.
Great comments!
Martin