[xacml] Problem Statement for "Fully specify hierarchical resources"

[Anne Anderson <Anne.Anderson@Sun.com>]

This is a concrete problem statement for the XACML 1.1 work item
titled "Fully specify hierarchical resources".

While the spec makes it clear how hierarchical resources are
supposed to be handled in the abstract, there are no concrete
rules for how to handle particular types of resource hierarchies
(eg filesystems, XML documents, LDAP services, etc).  Because of
this, it is not possible to provide implementations of XACML that
can properly handle resource hierarchies in an interoperable and
predictable way.

In order for there to be good interoperability here, there needs
to be standard language describing how to handle some of the more
common kinds of hierachies, and it needs to cover the tricky
cases like what happens when a parent node can't resolve some
descendant nodes, etc.

There also needs to be a way to identify which kind of hierarchy
a particular resource in a policy follows.  This may be implicit
for some types of resources (e.g. .xml documents?), but not for
others (e.g. filesystems that are not UNIX-like).  Such an
identifier would allow an implementation to invoke the hierarchy
manager appropriate for the hierarchy type, or to report that it
is unable to interpret the specified hierarchy type.

Submitted by Anne Anderson and Seth Proctor.

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>