OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] remote PDP

On Fri, 8 Oct 2004 15:47:27 -0500, Fernando Vazquez  
<fernando.vazquez@jerichosystems.com> wrote:

>  3) A far better approach to remote PDP's,  in our humble opinion, is to  
> have the application be a PEP outright and request a decision from a  
> centralized PDP based on the resource and action attempted (as well as  
> attributes, etc).


>  5) With a centralized PDP, disperse datasources can now be normalized  
> and introduced into the decisioning process in addition to any  
> attributes from the requesting PEP.

Heh, the problem is "how central PDP gets all required attributes?". It  
should request applications to provide this data. Sort of a "call back" to  
application PEPs.

In large enterprises there are hundreds of databases and applications. PDP  
must be able to retrieve any required attribute for any application  
specifi resource. Only application's business logic code can do it.  
Central PDP can have "root" access to all databases. This assumption  
itself is prettys trong though. Even if it had "root" password, it can't  
interpret the data in the databases. It's impossible.

Besides, while I'm rethinking my approach, it seems that having multiple  
PDPs on each app server would unload the central server. Performance would  
be better in case of multiple PDPs.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]