[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] remote PDP
On Fri, 8 Oct 2004 15:47:27 -0500, Fernando Vazquez <fernando.vazquez@jerichosystems.com> wrote: > 3) A far better approach to remote PDP's, in our humble opinion, is to > have the application be a PEP outright and request a decision from a > centralized PDP based on the resource and action attempted (as well as > attributes, etc). [skip] > 5) With a centralized PDP, disperse datasources can now be normalized > and introduced into the decisioning process in addition to any > attributes from the requesting PEP. Heh, the problem is "how central PDP gets all required attributes?". It should request applications to provide this data. Sort of a "call back" to application PEPs. In large enterprises there are hundreds of databases and applications. PDP must be able to retrieve any required attribute for any application specifi resource. Only application's business logic code can do it. Central PDP can have "root" access to all databases. This assumption itself is prettys trong though. Even if it had "root" password, it can't interpret the data in the databases. It's impossible. Besides, while I'm rethinking my approach, it seems that having multiple PDPs on each app server would unload the central server. Performance would be better in case of multiple PDPs. thanks, Argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]