OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [xacml] Comments on xacml-profile-hierarchical-resources draft

The following is my comment on the draft document of hierarchical resource

1) Separation of scheme from actual target resource

The hierarchical resource profile basically consists of two parts, policy
for XML nodes and policy for non-XML nodes. I think more explanation would
be needed to clarify the problem domain of hierarchical resources.

XACML v2 is aiming to provide two ways of writing a policy for hierarchical
resource but it does not necessarily mean that the target resource should
be XML document or non-XML document. I think that a policy writer can write
a policy for non-XML hierarchical resource (e.g. directory access) using
access-to-XML-node scheme (case A). It is also true that s/he can write a
policy for XML resource (like medical record formatted in XML) using
access-to-non-XML-node scheme case B).

In case A, the target directory hierarchy is converted into XML data which
is inserted into <ResrouceContent>, and the access request is converted
into XPath expression. In case B, access to XML document is represented as
a simple path like /record/patient and the policy would be described using
regular expression (or URI-match function) if the requested resource-id
matches against the policy.

So what I want to say here is that the two schemes XACML hierarchical
profile provides can be used regardless of the type of the ACTUAL target
resource. The following figure represents my intention.

Actual target         Actual target
resource is XML    resource is not XML
(eg XML med rec)        (eg directory)
                |  \             / |
                |      \    /      |
                |       /   \      |
                |  /            \  |
XACML XML             XACML non-XML
based scheme           based scheme

XACML 1.0 scheme corresponds to the vertical line on the left. XACML 2.0
now provides four ways as the above figure dipicts. How to map the actual
target into request context and how to write a policy is outside of the
scope of XACML. I think this means that XACML provides a flexible way to
use XACML but two kinds of the semantics are defined.

2) Procedure to identify the scheme

Since XACML supports two schemes (XML and non-XML), we need to give a
comprehensive procedure how to validate the request context. The following
is  such a procedure. Please correct me if I am wrong.

1. If a request context includes the resource-id which data type is
xpath-expression, then the context must include at least one
<ResourceContent> per <Resource> which may or may not have the scope
attribute. It means that this request is XML-based hierarchical resource
access. In this case, policy is written using xpath-node-match function.

2. If a request context includes the resource-id which data type is NOT
xpath-expression, then the request is non-XML-based hierarchical resource
access. It must not include <ResourceContent>. It may or may not have the
scope attribute. In this case, policy is written using regexp-string-match
function (or corresponding URI-match function) or string-equal on
resource-parent etc.


                      .com                     To:       xacml@lists.oasis-open.org                                              
                      2004/06/04 02:06         Subject:  [xacml] Groups - xacml-profile-hierarchical-resources-1.0-draft-04.pdf  

The document xacml-profile-hierarchical-resources-1.0-draft-04.pdf has been
submitted by Anne Anderson (Anne.Anderson@Sun.com) to the OASIS eXtensible
Access Control Markup Language TC document repository.

Document Description:
A profile for the handling of hierarchical resources using XACML.

Download Document:

View Document Details:

PLEASE NOTE:  If the above links do not work for you, your email
may be breaking the link into two pieces.  You may be able to copy and
the entire link address into the address field of your web browser.

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]