[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Passing parameters to the attribute designator
Erik Rissanen wrote: > This issue falls under the broader issue of attribute provisioning, > which I think is very important and currently somewhat underspecified in > the XACML world. But this is much because by design XACML chose to > abstract away this kind of details. This kind of abstraction makes XACML > more generally applicable and adaptable to different environments and > growth over time. > [...] > So I am opposed to the proposed change in the XACML schema. For what it's worth I agree with Erik here. This issue has actually come up a couple of times before. As I recall, the last time was when Anne and I were looking at some related issues, and she decided to take a stab at starting to define some basic provisioning configuration. As it (quickly) grew very complex, I was of the opinion that this is something best configured separately, rather than trying to wedge it into the already somewhat verbose policies. I think the main issue in my mind boils down to how people are likely to use his feature. I have not yet come across any real-world scenarios where people want to define different configuration within the same policy for various Designators. This is the only strong argument I can think of for including configuration in the policy itself. As long as configuration is defined per-policy or, more likely, per-PDP, then doing the configuration separately seems like a much cleaner approach. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]