RE: [xacml-users] Implementing UNIX file system acl using xacml

["Tyson, Paul H" <PTyson@bellhelicopter.textron.com>]

Marco,

Must you use XACML 2.0?

This is an important use case, and represents a general pattern that should be handled by XACML.  The 3.0 improvements to the hierarchical profile, and perhaps the 'access-permitted' function of XACML 3.0, might help.

I have not used XACML 2.0 in quite a while, so I would prefer to analyze this with respect to 3.0, but if you are stuck with 2.0 I will see what can be done.

Regards,
--Paul

-----Original Message-----
From: Ludwig Seitz [mailto:ludwig@sics.se] 
Sent: Monday, November 14, 2011 7:49 AM
To: Marco Biagi
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Implementing UNIX file system acl using xacml

On mån, 2011-11-14 at 14:29 +0100, Marco Biagi wrote:
> Thank you for your new reply!
> I had already take in charge this solution too, but I had discarded it 
> because in this way, like the previous one, the authorization logic is 
> not in the policy but in the function I write for example in java(in 
> the previous solution was in the PEP).
> I think that a good solution should have authorization logic exactly 
> where you expect it to be, in the policy.
> I think is strange that a language such as XACML, dosen't allow to 
> write this type of policy with its expression language.
> It is possible that XACML expression language (I'm talking about the 
> 2.0
> version) has some limitation working on higher order bag?
> Thank you in advance again!
> Regards,

Without looking more closely I'm inclined to believe you are right: It is a limitation of the XACML language. 

If you design a generic XACML extension to solve this problem, I would encourage you to submit it to the TC, it may become part of the next version of XACML.

/Ludwig


--
Ludwig Seitz, PhD
Swedish Institute of Computer Science
Ideon Science Park
Building Beta 2 3v
Scheelevägen 17
SE-223 70 Lund

Phone +46(0)70-349 92 51
http://www.sics.se