[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Proposal on item 7 ConditionReference
>We've argued this same concept before, and we have consistently said that >the <Policy> was the smallest unit of adminstration. Smallest, yes. But not the largest unit of administration, I suppose? We do have information shared between policies. Functions for example. What is a fundamental difference between a function declared somewhere else, and an expression declared somewhere else? Policy evaluation trusts data from the context, why not to trust a dynamically computed data? In most cases a policy writer lives with the fact that a data type of a particular attribute is fixed and defined outside of the policy. It is not declared in the policy - only used. PIP function is to provide the instance of the context, against which the policy is evaluated, and this instance is shared between policies. It seems to me that there is nothing wrong with sharing not only static, but also a dynamically computed context data - but that would require a separate document to hold this policy data, with such a document being the description of the context (attributes and functions declarations). I agree that one <policy> should not reference anything in another <policy> document, so currently we can not share indeed. Daniel.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]