OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] XACML 2.0 policy indexing based on resouce and indentity

Hello Hari,

I noticed your email, which appears to be asking a similar question to 
one that has been asked on the xacml-users email list:
  http://lists.oasis-open.org/archives/xacml-users/201004/msg00003.html

I have posted a couple of response to that email, which may be of 
interest to you:
  http://lists.oasis-open.org/archives/xacml-users/201004/msg00019.html
  http://lists.oasis-open.org/archives/xacml-users/201004/msg00027.html

The last email above, in particular, I think shows in detail, an 
approach that I think will address your questions as well. I will 
comment on that further below in line.

    Thanks,
    Rich


Hari Krishna wrote:
> Hi all,
>  
> I had a question regarding indexing of XACML 2.0 policies. In my 
> environment I have huge number of policies (around 200K). I need to 
> index them for better policy evaluation. All of my resources are 
> either strings or regular expressions. Subjects are defined based on 
> the user attributes. Apart from the policy evaluation I get below kind 
> of search requests for policies.
The proposed soln in the above refs is strings and regular expressions 
as well.
>  
> 1. What are the policies this user has access?
The proposed solution and examples provided therein, provides a response 
(Obligations) containing a regular expression for each explicit 
permission applicable to the requesting Subject. These Obligations could 
easily be enhanced to include a PolicyId AttributeAssignment which could 
be the basis for indexing policies.
> 2. Who are persons has access to this resource?
We have not looked at this yet, but it seems on the surface, that one 
could place the special query string ("/-") in the subject-id, and then 
all policies applicable to the Resource could have a companion Policy 
containing the Obligations to send back for a Subject-based query. This 
would mean possibly, each rule would be a PolicySet with 3 child 
Policys: one for the rule, one for the Resource Obligations, and one for 
the Subject Obligations. As mentioned in ref'd emails, it is assumed 
that a PolicyBuilder tool would be provided that could generate 
PolicySets from a template that could be defined by administrators to 
capture the structure of returns for the rules.

If the overall scheme would work, then I think indexing could be set up 
in an appropriate fashion for optimal performance, but this is new 
concept, at least to me, so there may be some as yet unforeseen gotchas.
>  
> I want my indexing mechanism to efficiently serve these cases. I am 
> really having problems in identifying matching policies with respect 
> to subject.
>  
> Can anyone suggest me some good ways to index subject and resources?
>  
> Sorry if it is not the question to be posted in this forum.
>  
> Thanks in advance
> Hari

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]