OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Implementing UNIX file system acl using xacml


Thank you for your reply!
I had already take in charge this solution, but I had discarded it because in this way the application logic is on PEP, and I prefer have it on the PDP. There are any other possible solution to solve this problem without move in the PEP the application logic?
Thank you.

Regards

On 11/14/2011 11:21 AM, Ludwig Seitz wrote:
I think you are attacking the problem from the wrong side, i.e. the
policy side.

What I'd do in your place is to work from the PEP. You need to submit
multiple access control requests (you could actually use the Multiple
Resources Profile for this), one for each ancestor directory of the
file/directory you want to access.

Example:
Say you want to access: /a/b/foo.txt
you need to fire of 3 access control requests against the policy you
wrote: One for 'a', one for 'b' and one for 'foo.txt'. Then you need the
PEP to deny access if any of these requests is not permitted.

That's how I would do it. Hope it helps.


Regards,

Ludwig


--
Dott. Marco Biagi

Netfarm s.r.l.
Phone: +39 050 0981576
Fax:   +39 050 777659
Web:   http://www.netfarm.it/
Email: marco.biagi@netfarm.it



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]