[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] Comments on xacml-profile-hierarchical-resources draft
The following is my comment on the draft document of hierarchical resource profile. 1) Separation of scheme from actual target resource The hierarchical resource profile basically consists of two parts, policy for XML nodes and policy for non-XML nodes. I think more explanation would be needed to clarify the problem domain of hierarchical resources. XACML v2 is aiming to provide two ways of writing a policy for hierarchical resource but it does not necessarily mean that the target resource should be XML document or non-XML document. I think that a policy writer can write a policy for non-XML hierarchical resource (e.g. directory access) using access-to-XML-node scheme (case A). It is also true that s/he can write a policy for XML resource (like medical record formatted in XML) using access-to-non-XML-node scheme case B). In case A, the target directory hierarchy is converted into XML data which is inserted into <ResrouceContent>, and the access request is converted into XPath expression. In case B, access to XML document is represented as a simple path like /record/patient and the policy would be described using regular expression (or URI-match function) if the requested resource-id matches against the policy. So what I want to say here is that the two schemes XACML hierarchical profile provides can be used regardless of the type of the ACTUAL target resource. The following figure represents my intention. Actual target Actual target resource is XML resource is not XML (eg XML med rec) (eg directory) | \ / | | \ / | | / \ | | / \ | XACML XML XACML non-XML based scheme based scheme XACML 1.0 scheme corresponds to the vertical line on the left. XACML 2.0 now provides four ways as the above figure dipicts. How to map the actual target into request context and how to write a policy is outside of the scope of XACML. I think this means that XACML provides a flexible way to use XACML but two kinds of the semantics are defined. 2) Procedure to identify the scheme Since XACML supports two schemes (XML and non-XML), we need to give a comprehensive procedure how to validate the request context. The following is such a procedure. Please correct me if I am wrong. 1. If a request context includes the resource-id which data type is xpath-expression, then the context must include at least one <ResourceContent> per <Resource> which may or may not have the scope attribute. It means that this request is XML-based hierarchical resource access. In this case, policy is written using xpath-node-match function. 2. If a request context includes the resource-id which data type is NOT xpath-expression, then the request is non-XML-based hierarchical resource access. It must not include <ResourceContent>. It may or may not have the scope attribute. In this case, policy is written using regexp-string-match function (or corresponding URI-match function) or string-equal on resource-parent etc. Best Michiharu Anne.Anderson@Sun .com To: firstname.lastname@example.org cc: 2004/06/04 02:06 Subject: [xacml] Groups - xacml-profile-hierarchical-resources-1.0-draft-04.pdf uploaded The document xacml-profile-hierarchical-resources-1.0-draft-04.pdf has been submitted by Anne Anderson (Anne.Anderson@Sun.com) to the OASIS eXtensible Access Control Markup Language TC document repository. Document Description: A profile for the handling of hierarchical resources using XACML. Download Document: http://www.oasis-open.org/apps/org/workgroup/xacml/download.php/7050/xacml-profile-hierarchical-resources-1.0-draft-04.pdf View Document Details: http://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=7050 PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php .