xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: [xacml] Scope for hierarchical resource
- From: Michiharu Kudoh <KUDO@jp.ibm.com>
- To: "'XACML'" <xacml@lists.oasis-open.org>
- Date: Mon, 26 Jul 2004 20:55:28 +0900
Let me clarify my comments on hierarchical
resource.
>Tim: But what if document treated one way in policy,
but request
> submitted other way. resource identifier would identify
as a
> single resource or as a structured document.
I am assuming that the semantics of the resource identifier
may vary from application to application. I think it is up to the contract
(agreement) between PEP and PDP and difficult to enforce syntactical restriction
on URI to distinguish single resource from a structured resource as a standard.
Please correct me if I am wrong.
For example, an access to a file is considered as
an access to a single resource. An access to one element in a XML document
is also considered as an access to a single resource. On the other hand,
access to an entire directory and an access to a subtree (i.e. elements
and attributes) in XML document is not considered as a single resource
access.
One way to tell XACML policy engine about this distinction
is to use scope attribute in the request. If the request specify decendant
as a scope, there needs some way to address target resource hierarchical
structure otherwise the engine cannot know the decendants.
Best,
Michiharu
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]