[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Issue: Hierarchical profile appears ambiguous and inconsistent
On Jan 14, 2009, at 10:54 PM, Rich.Levinson wrote: > * There needs to be a definition of "hierarchy". In particular, a > "hierarchy" defn should state that the fundamental properties are > that there must be a single root node with no parent, and that > every other node in the hierarchy must have one and only one > parent, and can have zero, one, or more children. I am not sure why do you think this is a requirement. It is a normal use case to inherit policy from more then one parent, and "ancestors" attribute approach allows such models without undue restrictions. > in order to submit a request one has to somehow identify all > the hierarchies the given node > belongs to, all the hierarchies the node's parent(s) and > ancestors to, and include an Attribute element for each. And why is that a problem? Yes, if one wants "inheritance", graph needs to be defined, and attributes is a natural way to define it. > I suspect that at most one would need to collect all the normative > representations of only the resource-id node (i.e. identify all the > hierarchies it belongs to), then for each hierarchy, one would > evaluate the policies that apply to that hierarchy. > Policy evaluation does not need to know anything about hierarchies that are represented with an "ancestor" attribute. Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]