[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: resource model in xacml policy. (item 42)
Resource model in xacml proposal.
If policy writer assumes resource model and
subsequently uses model specific resource expressions that require resource
instance for evaluation, resource instance must be made available in the request
context. Resource model is not described in xacml, but must be defined elsewhere
in descriptive language.
One aspect of resource model is permission
implication. For example, "read" permission may require "search"
permission, and "write" permission may imply "read" permission. All these
details must be spelled out in the resource model description. Pdp must be
aware of resource model and use it in solving authorization query.
When resource is hierarchial, permission
propogation up and down resource hierarchy must be described. Syntactic
expressions over resource hierarchy making rules applicable to subtree (as
opposed to one node) is not a substitute to the property of rule propogation,
but syntactic shortcut. Resource model semantics must specify permission
propogation.
To make policy consistent with resource model,
resource model must be declared in the xacml policy (rule combiner alg ?)
and defined in resource specific profile of xacml.
Simon
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]