[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] Hierarchical match
In the last TC call, I suggested to use "*" and "**" notations for matching hierarchical resource. Examples: ex1: /p1/p2 ex2: /p1/p2/* ex3: /p1/p2/** /p1/p2 matches /p1/p2. /p1/p2/* matches all the immediate children of /p1/p2. /p1/p2/** matches all the descendants of /p1/p2. Therefore, /p1/p2/* matches /p1/p2/p3 and /p1/p2/p4 but fails to match /p1/p2 and /p1/p2/p3/p4. /p1/p2/** matches /p1/p2/p3 and /p1/p2/p3/p4 but fails to match /p1/p2. The exact semantics of the above notation is represented as the equivalent regular expression as follows: /p1/p2 ==> ^\/p1\/p2$ /p1/p2/* ==> ^\/p1\/p2\/[^\/]+$ /p1/p2/** ==> ^\/p1\/p2\/.+$ - Rational: Access control policy that works on hierarchy often requires exact match, immediate children match, and subtree match. The above notation corresponds to each pattern. If regular expression is used, such intention would become implicit. Best, Michiharu
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]