Re: [xacml-users] Policy combinations; how to preserve intendedmeaning...?

[Seth Proctor <Seth.Proctor@sun.com>]

Hi Blair. From what I've heard, your ordered approach sounds reasonable.
As Argyn notes, having a flat set of references and using
first-applicable is a little unusual, but there's nothing wrong with
this, and given your application it sounds like a decent idea. Use of
first-applicable and ordered algorithms is somewhat a matter of
preference; I use both regularly and find that some situations need them
whereas others don't. Argyn's suggestion to add at least a little depth
sounds like a good one too if you plan to have many policies, if only to
help keep things in a managable state. It also might make it easier to
recycle collections of policies.

If you changed your mind about diving into XACML and wanted a little
adventure in your life [1] I'd suggest looking at the parameters feature
that was added in XACML 2.0. You'd have to write your own algorithm, but
you could then add "weight" or "priority" or whatever else you liked to
each element being combined. This might help further define the
relationships you're trying to build. I haven't thought deeply about
this, but it strikes me that it might be a useful approach.

As to hierarchies, you're right (in my opinion) that this isn't the way
to go. This feature really exists to describe things like hierarchical
filesystems, tree-structured data, etc. You have a somewhat different
problem that needs solving. FYI, SunXACML does support the 1.x notion of
hierarchies, which is quite close to the 2.0 feature. 2.0 support is
partially finished, but not ready (one of these days..).


seth


[1] I guess this something about the relative excitement in my life..