OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sunxacml-discuss] Resource-id

Argyn,

This is a question about how to use the XACML language itself,
rather than Sun's XACML implementation.  As such, I am cc'ing
"xacml-comment@lists.oasis-open.org" on this response.  I suggest
future questions of this type go directly to
"xacml-comment@lists.oasis-open.org" so the XACML TC can be aware
of how people are trying to use the XACML language, and problems
you may be having.

This is an add-on to Seth's response.

On 17 September, Kuketayev, Argyn writes: [sunxacml-discuss] Resource-id
 > There's a mandatory resource-id attribute in the XACML request. Spec
 > says that it defines identity of the resource. I have a little trouble
 > with this.
 > 
 > If we talk in terms of object-oriented analysis, then is this
 > resource-id comparable to notion of Object Id? Or is it more like a
 > class?
 > 
 > Here's an example. I have an object asset1, which is an instance of
 > class Asset. In the database, it's stored in a table tab_assets with
 > primary key columns "database" and "schema". Subsequently, class Asset
 > has fields "database" and "schema".
 > 
 > So, the identity of the object asset1 is defined by values of the aboce
 > to fields, and its class name. If I serialize this object into string,
 > I'd have these three values. It would be something like:
 > "asset:database1,server1".
 > 
 > Now, I'm making a XACML request. What's going to be the request-id? 

This seems like it might fit into the XACML Hierarchical
Resources model.  If the "resource-id" were expressed as
something like "/server1.../Asset/database/asset1, then policies
could be written giving or preventing access to anything on

- "/server1...", (everything on "server1"
- "/server1.../Asset" (i.e. both database and schema on server1),
- "/server1.../Asset/database/" (i.e. all instances of Asset
  in the database on server1.

I may not have the best model for your hierarchy, but this is the
idea.  The resource is not inherently hierarchical, but your
management of it may be.

You could implement this with the current XACML implementation if
you use data type "...:string" for your "resource-id" and use
function "regexp-string-match" to match on the set of resource-id
values you want your policy to apply to.

Anne

 > 1. If I do direct comparison to object model or database schema of my
 > application, then it seems like it has to be "asset:database1,server1",
 > i.e. primary key plus table name in terms of relational DB. In this
 > case, attribute comparison is a pain. What if I want to allow access to
 > certain databases only? Also, if I want to allow access only to assets,
 > but not other resources, then again I have to parse resource-id or
 > introduce resource-type attribute and so on. 
 > 
 > 2. On the other hand, I can define resource-id as simply "asset", then
 > primary key columns will go into other attributes of the resource. This
 > approach is easier for policy writing, but it gives a totally different
 > meaning to resource identity.
 > 
 > Currently, I'm using the latter, and happy with it. Howevere, I'm not
 > sure that it's the right way.
 > 
 > Thanks,
 > Argyn
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]