[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] XACML 2.0 policy indexing based on resouce and indentity
Hello Hari, I noticed your email, which appears to be asking a similar question to one that has been asked on the xacml-users email list: http://lists.oasis-open.org/archives/xacml-users/201004/msg00003.html I have posted a couple of response to that email, which may be of interest to you: http://lists.oasis-open.org/archives/xacml-users/201004/msg00019.html http://lists.oasis-open.org/archives/xacml-users/201004/msg00027.html The last email above, in particular, I think shows in detail, an approach that I think will address your questions as well. I will comment on that further below in line. Thanks, Rich Hari Krishna wrote: > Hi all, > > I had a question regarding indexing of XACML 2.0 policies. In my > environment I have huge number of policies (around 200K). I need to > index them for better policy evaluation. All of my resources are > either strings or regular expressions. Subjects are defined based on > the user attributes. Apart from the policy evaluation I get below kind > of search requests for policies. The proposed soln in the above refs is strings and regular expressions as well. > > 1. What are the policies this user has access? The proposed solution and examples provided therein, provides a response (Obligations) containing a regular expression for each explicit permission applicable to the requesting Subject. These Obligations could easily be enhanced to include a PolicyId AttributeAssignment which could be the basis for indexing policies. > 2. Who are persons has access to this resource? We have not looked at this yet, but it seems on the surface, that one could place the special query string ("/-") in the subject-id, and then all policies applicable to the Resource could have a companion Policy containing the Obligations to send back for a Subject-based query. This would mean possibly, each rule would be a PolicySet with 3 child Policys: one for the rule, one for the Resource Obligations, and one for the Subject Obligations. As mentioned in ref'd emails, it is assumed that a PolicyBuilder tool would be provided that could generate PolicySets from a template that could be defined by administrators to capture the structure of returns for the rules. If the overall scheme would work, then I think indexing could be set up in an appropriate fashion for optimal performance, but this is new concept, at least to me, so there may be some as yet unforeseen gotchas. > > I want my indexing mechanism to efficiently serve these cases. I am > really having problems in identifying matching policies with respect > to subject. > > Can anyone suggest me some good ways to index subject and resources? > > Sorry if it is not the question to be posted in this forum. > > Thanks in advance > Hari
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]