OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Policy question


1.Anybody who can see a document is allowed to see all comments on it.

This is tricky. You can perhaps do it with the access-permitted function (section A.3.16 of the standard), but implementation of this function is optional and I don't expect many XACML engines to actually implement this (it's just too tricky to get this right without open up the PDP to denial of service)
Indeed it is tricky. I don't think you can express this as you stated it here. I.e., I don't think XACML allows you to refer to the result of another policy evaluation in this sense, especially not because the object of the latter evaluation (document) would differ from the object of the former evaluation (document).

I think a good option is to put all the rules which permit a user to see a document in a single policy. Then, you can refer to that policy (without the "see document" target) below the "see comment" target. Or just add "see comment" to the "see document target" so that the same rules apply to comments and documents. However, again this solution is a bit strange with regard to the object, since the attributes of the respective document would probably have to be present when evaluating the policy about comments.



Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]