OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: resource model in xacml policy. (item 42)


Resource model in xacml proposal.
 
If policy writer assumes resource model and subsequently uses model specific resource expressions that require resource instance for evaluation, resource instance must be made available in the request context. Resource model is not described in xacml, but must be defined elsewhere in descriptive language.
 
One aspect of resource model is permission implication. For example, "read" permission may require "search" permission, and "write" permission may imply "read" permission. All these details must be spelled out in the resource model description. Pdp must be aware of resource model and use it in solving authorization query.
 
When resource is hierarchial, permission propogation up and down resource hierarchy must be described. Syntactic expressions over resource hierarchy making rules applicable to subtree (as opposed to one node) is not a substitute to the property of rule propogation, but syntactic shortcut. Resource model semantics must specify permission propogation.
 
To make policy consistent with resource model, resource model must be declared in the xacml policy (rule combiner alg ?) and defined in resource specific profile of xacml.
 
Simon


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]