Re: [xacml] Comments on xacml-profile-hierarchical-resources draft

[Anne Anderson <Anne.Anderson@Sun.COM>]

On 14 July, Bill Parducci writes: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
 > Anne Anderson wrote:
 > 
 >  > 2. An XML document treated as a single resource, but where
 >  >    constraints MAY depend on the values of specific nodes in the
 >  >    resource,

A subject wants to view a given hospital patient record, which is
an XML document file.  The policy is that subjects can view
patient records only if they are in role "hospital administrator"
or if their "subject-id" matches the <attending physician> or
<patient name> values in the patient record.

The system does not want to have to ask about each node in the
record, because its policy is either to give access to the entire
document or not at all.

I think this is a realistic use case.

 >  > 3. A node subtree of an XML document treated as a single resource,
 >  >    again where constraints may depend on the values of specific
 >  >    nodes in the resource,
 > 
 > if someone has a use case for either of these i would be interested in 
 > seeing it.

I do not know of a real use case here.  It would most likely
occur if some system kept a large virtual XML document such as
<HospitalRecords> containing a sequence of individual
<PatientRecord> sub-documents (as in case 2 above).

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692