Subject: Re: [xacml-users] Policy combinations; how to preserve intendedmeaning...?
Hi Blair. From what I've heard, your ordered approach sounds reasonable. As Argyn notes, having a flat set of references and using first-applicable is a little unusual, but there's nothing wrong with this, and given your application it sounds like a decent idea. Use of first-applicable and ordered algorithms is somewhat a matter of preference; I use both regularly and find that some situations need them whereas others don't. Argyn's suggestion to add at least a little depth sounds like a good one too if you plan to have many policies, if only to help keep things in a managable state. It also might make it easier to recycle collections of policies. If you changed your mind about diving into XACML and wanted a little adventure in your life  I'd suggest looking at the parameters feature that was added in XACML 2.0. You'd have to write your own algorithm, but you could then add "weight" or "priority" or whatever else you liked to each element being combined. This might help further define the relationships you're trying to build. I haven't thought deeply about this, but it strikes me that it might be a useful approach. As to hierarchies, you're right (in my opinion) that this isn't the way to go. This feature really exists to describe things like hierarchical filesystems, tree-structured data, etc. You have a somewhat different problem that needs solving. FYI, SunXACML does support the 1.x notion of hierarchies, which is quite close to the 2.0 feature. 2.0 support is partially finished, but not ready (one of these days..). seth  I guess this something about the relative excitement in my life..