OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [xacml] Scope for hierarchical resource

Let me clarify my comments on hierarchical resource.

>Tim: But what if document treated one way in policy, but request
>   submitted other way.  resource identifier would identify as a
>   single resource or as a structured document.

I am assuming that the semantics of the resource identifier may vary from application to application. I think it is up to the contract (agreement) between PEP and PDP and difficult to enforce syntactical restriction on URI to distinguish single resource from a structured resource as a standard. Please correct me if I am wrong.

For example, an access to a file is considered as an access to a single resource. An access to one element in a XML document is also considered as an access to a single resource. On the other hand, access to an entire directory and an access to a subtree (i.e. elements and attributes) in XML document is not considered as a single resource access.

One way to tell XACML policy engine about this distinction is to use scope attribute in the request. If the request specify decendant as a scope, there needs some way to address target resource hierarchical structure otherwise the engine cannot know the decendants.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]