OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

regrep message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [regrep] One RegistryObject - Many ACPs proposal

While reviewing Joe's Web Service registration paper I encountered an 
apparent mistake in how the paper suggested one associate an ACP with a 
RegistryObject. The ebRIM 2.36 spec says that that a single ACP is 
associated with a RegistryObject via its accessControlPolicy object. The 
BP paper suggested using an Association instead.

At first I was about to flag this as a mistake but then I realized that 
this was a better way to assign an ACP to a RegistryObject because:

-In many cases there would be no custom ACP. In current approach, there 
would be a waste of accessControlPolicy attribute. Under the Association 
approach no waste occurs.

-In current approach, there can only be one ACP associated with a 
RegistryObject. Under the Association approach multiple ACPs may be 
associated with a RegistryObject.

Proposed Changes To ACP

-Drop accessControlPolicyAttribute attribute from RegistryObject

-Define a new canonical associationType "AccessControlPolicyFor"

-Define that zero or more ACPs may be associated with a RegistryObject 
via an Associations where ACP is sourceObject and RegistryObject is 

-Define that when evaluating access control for a RegistryObject, The 
following 4 sets of ACPs will be considered:

1. Default ACP for the Registry

2. User ACP

3. Submitting Organization's ACP (if any)

4. Responsible Organization's ACP (if any)

We need precedence rules for how the 4 sets play together. On this last 
point I am thinking some more and discussing with some experts.

The result is that a very powerful ACP model that takes into account the 
policies of all stake holder's in the RegistryObject. It also avoids 
having to evaluate policies that have nothing to do with this object 

What do people think of this suggestion?

Thanks to Joe for inspiring this idea. Reminds me that Mozart got it 
right the first time ;-)


To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]