Re: [xacml] Comments on xacml-profile-hierarchical-resources draft

[Bill Parducci <bparducci@gluecode.com>]

Anne Anderson wrote:
> What if the policy also contains a Deny rule denying everyone
> except the patient access to the <Diagnosis> node alone?  In that
> case, if the request comes in asking for the entire document, the
> Deny rule that applies to requests for that individual node would
> not apply, and access to the entire document (including the
> <Diagnosis> node) would be granted to the physician or an
> administrator.

that comes back to my previous point: i think it is unlikely that there 
will be field level granularity of access policy without equivalent 
enforcement. it seems illogical to me that you would have a policy 
writer exclude field level information when enforcement is document 
level. the net effect is the same when applied, it is simply a 
multiplication of rule maintenance.

example:

consider a document, X, with three components: A, B & C

IF the access control mechanism is at the *document* level, then:

deny bill to see X:B

is equivalent to

deny bill X

am i missing something?

the only place that i can see that this will be of value is if there are 
resources that are protected *both* by policies that allow field level 
access as well as whole document access (*enforcement* is different). is 
this the case we are trying to solve?

if so, i personally see that as unlikely. my vote is for D: a hierarchy 
is a special collection of resources that we operate on individually; i 
suggest that we do not operate on the container itself.

b