[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Clarification of Hierarchical Resource Profile
Hi Steve, Not sure if I fully understand your questions, but will try to respond inline. Note: my first few responses are attempting to understand your question, the later responses are probably closer to being in the answer space of your questions. I do not expect that this will fully answer your questions but hopefully it will move the ball down the field a bit. Thanks, Rich Steve Bayliss wrote: 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">I am having trouble parsing the following paragraph. I will deal with each segment in sequence: 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">The sentence above appears to be asking the question: Does the HRP deal with "resources-in-path-context"? If that is the question, then what does the term "resources-in-path-context" mean? For example, XACML Policy deals with information in the RequestContext. Is this what you are referring to? 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">The answer to the first part of the question is "Yes, a policy can be written for it.". As above the term "resource-in-path-context" is undefined, at least to me, so I do not understand the last part of the question. 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">I do not understand the above statement at all. The first phrase appears to use the term policy redundantly: "policies (dealing with resources when being accessed as part of a particular collection) having a specific policy"The remainder I find in more difficult to parse. My point here is not to criticize your sentence structure, but to try to understand what the point is you are trying to make, and possibly by explaining why I find it confusing, will help to establish a terminology where the issues can be addressed. That being said, the last phrase appears to me to be saying: There is some kind of distinction between: 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">Ok, assuming the above URI pathname portions plus leading "/" are provided as resource-ids (where multiple resource-ids for the same resource are allowed as specified in section 6.3), the two provided above seem like a reasonable pair of example paths. Note: I do not believe there was intentional "relaxation" in 3.0. Note there are 2 non-XML node identification schemes in the HRP:
001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">There is only one resource, but it will have 2 resource-id's, so the answer to above is "no" to the first part and "yes" to the 2nd part. 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">There is no requirement for two Policies, as opposed to say two Rules, but yes, it is likely that both the regex's you propose would appear. 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">It is ok to specify only one path in the request, but it depends on the Policy structure whether that would be accepted or not. i.e. does the Policy state:
001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">Sorry, I am not sure what you are trying to say here. There is no requirement on the engine to use any specific method for processing the above scenario. 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">I assume so, however, it sounds like you may have a concern that for some reason both forms should not co-exist. Is that a concern? 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">I'm afraid you are going to have to be more specific here about what information is being processed. My assumption is that all required info is in the request context. If all that is there is "c" then how does one derive full paths? 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">Correct, but see comment above. It depends if Policy requires resource to be member of both hierarchies or only one hierarchy. 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite">Again, I am not sure what the term "resource-in-path-context" precisely means or the alternate phrase: "resource-accessed-as-member-of-collection", at least in the context of the HRP. The HRP is intended to represent single nodes in a hierarchy, and to also consider using the Multiple Resource Profile for defined "scopes" of nodes within a hierarchy. 001e01cbb7f7$85a884d0$0301010a@asusp4t533" type="cite"> |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]