OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] [Issue] How many resourceIds in request context?

>> As hierarchical relationship and meaning of resource scope can be inferred by PDP
>> without having to determine the value of “resource-id”

>Yes, I know it may be possible, but I believe that such a flexibility violates an interoperability of PDP implementations
since different PDP implementations may implement different semantics of
the "scope" attribute, that is, it is up to a particular PDP implementation how to
process the "scope" attribute.

How would it be in any way different from the current description?  If it may be deduced for such a request – it is exactly the same situation as having it provided.   As far as interoperability – since there is no way to communicate resource structure between PDP, interoperability concerns for resource-id are moot.   There is no guarantee that by providing “resource-id” a particular PDP implementation will determine its scope in exactly the same way.  The only interoperable way to provide scope is to exchange an XML document, as far as I understood from our discussion on hierarchical resources, but that (I hope) does not mean that we shall only use XACML language in the context of such systems.

The problem I am having is how to map XACML semantics into system that has no notion of a unique “resource-id” attribute.  Such a requirement greatly reduces generality of an XACML request and policy.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]