[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Policy question
Indeed it is tricky. I don't think you can express this as you stated it here. I.e., I don't think XACML allows you to refer to the result of another policy evaluation in this sense, especially not because the object of the latter evaluation (document) would differ from the object of the former evaluation (document).1.Anybody who can see a document is allowed to see all comments on it.This is tricky. You can perhaps do it with the access-permitted function (section A.3.16 of the standard), but implementation of this function is optional and I don't expect many XACML engines to actually implement this (it's just too tricky to get this right without open up the PDP to denial of service)
I think a good option is to put all the rules which permit a user to see a document in a single policy. Then, you can refer to that policy (without the "see document" target) below the "see comment" target. Or just add "see comment" to the "see document target" so that the same rules apply to comments and documents. However, again this solution is a bit strange with regard to the object, since the attributes of the respective document would probably have to be present when evaluating the policy about comments.
Regards, Maarten Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm