OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] hierarchical resources

The thing to understand about hierarchical resources is that there are
many different semantics possible and in use by various access control
models. The XACML TC gave up on trying to support them all and kind of
defined some minimal capabilities. As a result some semantics are easy
to support and some are hard. IMO some of these are very poorly
conceived and bound to lead to results which will take admins by
surprise.

BEA has implemented hierarchical resources in order to support some
existing policy models which we inherited. I will see if our developer
has time to contact you off list.

Hal

> -----Original Message-----
> From: dhirendra sharma [mailto:dhirendra_sh@yahoo.com]
> Sent: Wednesday, June 21, 2006 12:06 PM
> To: xacml-users@lists.oasis-open.org
> Subject: [xacml-users] hierarchical resources
> 
> Has anyone used hierarchical resources for
> authorization ?
> We have a hierarchical list of companies and users can
> be granted access (read, update etc.) to the parent
> company and he gets access to all the children
> companies along with the parents company that he was
> granted access.
> 
> 
> I am planning to do the folliowing :
> 
> Step 1 : Write a custom resource finder by extending
> ResourceFinderModule which returns a list of companies
> based on
> the parent company.
> 
> Step 2: In Request context :
> 
> <Resource>
>     <Attribute
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
> 
> DataType="http://www.w3.org/2001/XMLSchema#string";>
>       <AttributeValue>Company-id</AttributeValue>
>     </Attribute>
> 
>     <Attribute
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:scope"
> 
> DataType="http://www.w3.org/2001/XMLSchema#string";>
>       <AttributeValue>Descendants</AttributeValue>
>     </Attribute>
> 
>   </Resource>
> 
> 
> Step 3: In Policy file :
> 	Still thinking about it.Any input welcome from how to
> to best practice.
> 
> 
> Does this approach look correct or there is some
> alternative better way ?
> 
> Thanks,
> Dhirendra Sharma
> 
> 
> 
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the
> XACML OASIS Standard. To minimize spam in the archives, you
> must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]