[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Another use case: Re: Proposal for XACML 2.0 Work Item #62:"concatenate" functions
On 12 April, Anne Anderson writes: Proposal for XACML 2.0 Work Item #62: "concatenate" functions > Problem statement > ================= > > One use case supplied by Daniel and described as "very common" > follows: > > Policies may apply to resources whose identities are > subject-specific instances of a given resource class. For > example, each subject may have a unique home directory, but each > subject will have a subdirectory named "private" in that home > directory. The policy writer wants to allow subjects to access > only their own "private" sub-directories. I forgot to mention that my J2SE XACML Policy Provider is another use case for "concatenate" functions. The existing J2SE policy syntax supports a "property expansion" scheme that allows the value of instance-specific variables to be inserted into other values needed by the policy. I don't know all the uses for this, but the examples use it to prefix a literal file path with the instance-specific user's home directory. In order to support this, I had proposed a rather clumsy syntax for referencing a Subject, Resource, Action, or Environment Attribute value to be included as part of some other literal AttributeValue. Concatenation functions are a much cleaner way to handle this. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]