OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Policy combinations; how to preserve intendedmeaning...?

Hi Blair.

> I've had some feedback from the fedora-users list too and it turns out
> that the XACML support in Fedora is not as complete as it seems.
> Apparently target matching and IdReference are not supported, I'll
> have to look into this further as I find it hard to believe that
> target matching wouldn't be supported given it's such a key feature -
> doesn't the sun PDP do this for free anyhow?!

Yes, SunXACML certainly does Target matching. It's possible that they  
just don't expose the infrastructure to let you do any custom  
matching, or that they structure their policies in such a way that  
they don't need this feature. I haven't looked at fedora in a long  
time, so I'm not sure what's going on in there.

> I imagine adding
> support for references to the PolicyFinder module would not be too
> difficult.  Trouble is that this is supposed to be a
> prototype/feasibility study, I'll find out today whether the higher
> ups think it's worth the time.

Adding support is easy, but then you have to address two key issues:  
how you do caching and refresh, and where you store your policies.  
These can be handled simply if you don't need really efficient  
evaluation, but can become complex management issues. For a proof of  
concept, I'm happy to help you add simple support for references if  
fedora will support it.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]