OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] first proposal for hierarchial resources

Comments on "first proposal", by how it deals with the <Policy>
and <Request> aspects of the deficiencies in XACML handling of
hierarchical resources.

<Policy> EXPRESSION ASPECTS OF THE PROBLEM:

a) How, where xpath-node-match is insufficient, to express
   matches between a resource description contained in a
   <Request> with a resource description contained in a <Policy>,
   where the resource is hierarchical.

b) How to express permitted <Actions> for a resource, where
   certain <Action> identifiers imply other <Action>
   identifiers.

c) How to express permitted <Actions> for a resource, where
   certain <Action> identifiers require being permitted to
   perform the <Action> on every node above or below the
   immediate node being accessed.

<Policy> EVALUATION ASPECTS OF THE PROBLEM:

d) Define how an "xpath-node-match" in a <Policy> interacts with
   a <Resource> in a Request that has a "resource:scope"
   Attribute.
e) How to deal with a <Resource> having a "resource:scope"
   Attribute where the <Resource> can not be described using
   "xpath-node-match".

COMMENTS ON PROPOSED SOLUTION:

   1. The proposed solution handles <Policy> EXPRESSION aspects
      b) and c) by embedding a description of the propagation and
      implication rules for a Resource Model in the <Policy>
      itself.  Presumably a given Resource Model will not have
      different rules in different <Policies>, so why is this
      being defined in this way?

   2. The ModelURI attribute for a "resource model", in this
      proposal, is being used no differently from "DataType" in
      XACML 1.0.  Why are we creating a different attribute?

   3. The proposed solution does not handle <Policy> EXPRESSION
      aspect c): there is still no syntax to state that a given
      "resource-id" <AttributeValue> X in a <Policy> "implies" or
      "matches" or "is higher in the hierarchy than" a given
      "resource-id" <Attribute> value Y in a <Request>, where X
      and Y are expressions describing a hierarchical resource.

   4. The proposal does not give any guidance on how to deal with
      <Policy> EVALUATION aspects d) and e).

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]