[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
Anne Anderson wrote: > What if the policy also contains a Deny rule denying everyone > except the patient access to the <Diagnosis> node alone? In that > case, if the request comes in asking for the entire document, the > Deny rule that applies to requests for that individual node would > not apply, and access to the entire document (including the > <Diagnosis> node) would be granted to the physician or an > administrator. that comes back to my previous point: i think it is unlikely that there will be field level granularity of access policy without equivalent enforcement. it seems illogical to me that you would have a policy writer exclude field level information when enforcement is document level. the net effect is the same when applied, it is simply a multiplication of rule maintenance. example: consider a document, X, with three components: A, B & C IF the access control mechanism is at the *document* level, then: deny bill to see X:B is equivalent to deny bill X am i missing something? the only place that i can see that this will be of value is if there are resources that are protected *both* by policies that allow field level access as well as whole document access (*enforcement* is different). is this the case we are trying to solve? if so, i personally see that as unlikely. my vote is for D: a hierarchy is a special collection of resources that we operate on individually; i suggest that we do not operate on the container itself. b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]