OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] WI#9 Proposal: policies referring to hierarchical resources



>No, it doesn't.  The structure of the resource hierarchy is
>supplied as part of the Request in the 'resource-content'
>Attribute.  The Policy merely knows key nodes that represent
>roots of important subtrees that need to be protected.  If the
>Policy doesn't know at least that much, then I don't think you
>can write a Policy to protect the hierarchy.

Supplying the structure as part of every request is hardly efficient.

It also assumes the "tree" structure.   This does not work well in an
environment where multiple applications share the same resource.


>  I think the hierarchical schema is an easier way to describe
>  the 'parent' resources and values associated with them than a
>  'bag'.  You would still have to work out a syntax for the
>  resources in the bag and for how to associate values with those
>  resources.

Except that this schema is owned by policy writer now, not by the
protected application.   I do not think that the access policy should
assume or own how the resources are organized, nor assume any particular
topology: especially when there is no need to do that.

Other issue is: why would we assume the same structure for all actions?

Daniel;




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]