OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Policy combinations; how to preserve intended meaning...?

Hi again,

Here's a brief example to help illustrate the type of access
management scenarios I am trying to cater for.

On 10/19/06, argyn <argyn@cox.net> wrote:
> bring the examples, then people would be able to help you.

for example, all objects in the repository are open access by default,
a collection of objects may be restricted to postgrads only, except
for a particular group of undergrads, however there are culturally
sensitive images in some of the datastreams(data components of the
object) that are restricted to subjects of certain ethnicity or tribal
affiliation.  Clearly in this scenario you want each policy to be
applicable over different domains in the repository, however
specifying all these different policies using the default setup would
cause Fedora to find all the applicable policies for a request and
combine the evaluation results using DenyOverrides - disregarding the
intended effect of the various policies.  This is where the
first-applicable PolicySet for each object I described in my initial
post is useful.

> xacml can handle policy hierarchies. the question is how to construct them most
> effectively

Yes, I'm aware that XACML can do policy hierarchies however from what
I've managed to digest so far it seems that sunxacml doesn't have
explicit support for the hierarchical resource profile (as defined by
XACML 2.0), and neither does the Fedora PDP/PIP implement a
ResourceFinderModule capable of handling resource hierarchies as
discussed in the sunxacml programmer's guide.  Besides all this I
don't even think the hierarchical resource profile would be useful for
Fedora as any hierarchy you can conceive would only be three or four
levels deep and perhaps more importantly the APIs(read actions in
XACML) are setup explicitly to provide access at different points of
the object model.


In science one tries to tell people, in such a way
as to be understood by everyone, something that
no one ever knew before. But in poetry, it's the
exact opposite.
 - Paul Dirac

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]