[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
On 15 July, Bill Parducci writes: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft > Anne Anderson wrote: > > What if the policy also contains a Deny rule denying everyone > > except the patient access to the <Diagnosis> node alone? In that > > case, if the request comes in asking for the entire document, the > > Deny rule that applies to requests for that individual node would > > not apply, and access to the entire document (including the > > <Diagnosis> node) would be granted to the physician or an > > administrator. > > that comes back to my previous point: i think it is unlikely that there > will be field level granularity of access policy without equivalent > enforcement. it seems illogical to me that you would have a policy > writer exclude field level information when enforcement is document > level. the net effect is the same when applied, it is simply a > multiplication of rule maintenance. > > example: > > consider a document, X, with three components: A, B & C > > IF the access control mechanism is at the *document* level, then: > > deny bill to see X:B > > is equivalent to > > deny bill X > > am i missing something? > > the only place that i can see that this will be of value is if there are > resources that are protected *both* by policies that allow field level > access as well as whole document access (*enforcement* is different). is > this the case we are trying to solve? Yes. > if so, i personally see that as unlikely. my vote is for D: a hierarchy > is a special collection of resources that we operate on individually; i > suggest that we do not operate on the container itself. That is what the Profile currently specifies. It is always possible for a given environment to agree between Policy Authorities and PEPs that certain resources will be treated differently. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]