OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Issue: Hierarchical profile appears ambiguous and inconsistent

On Jan 15, 2009, at 6:42 AM, Rich.Levinson wrote:

> Hi Daniel,
> This is an inherently self-contradictory definition. A hierarchy  
> has a single root. It is an "ordered set", where each entity in the  
> set has a defined relationship to every other entity. A "forest" is  
> not a hierarchy. It is multiple hierarchies. The "definition" above  
> is not meaningful because it equates the singular and plural.

That is indeed an ambiguous usage of the term "forest", which is a  
disconnected acyclic graph.

But I am not sure I understand your objection about the term "hierarhy".

Definition of a hierarhy is " a graded or ranked series".    So that  
implies that we introduce a partial order relation between resource  
nodes that implies inheritance of applicable policy statements. (if A  
=> B, then rule applicable to A applies to B).  This does not imply  
that we have to define this as a rooted tree.   For example, we have  
three resources A, B, C and A=>C and B=>C, so C inherits policy from  
A and B.

I think ambiguity may be corrected by removing reference to "forest"  
and changing "ordered set" to "partially ordered set" (as we do not  
require comparability for the inheritance relation).

> Finally, I do not understand your comment that says:
> Policy evaluation does not need to know anything about hierarchies  
> that are represented with an "ancestor" attribute.
> I am trying to understand what policies are supposed to do with the  
> definitions in the spec. i.e. it is the spec that says in section  
> 3.2 that all the parent and ancestor nodes need to be assembled in  
> the request context. What "policy evaluation" are you referring to?  
> Are you saying what I indicated in original email that a policy  
> does not need to know anything about hierarchies that the resource- 
> id node does not belong to?

What I was trying to say is that we do express hierarchical  
relationship as an attribute on each resource X with value being a  
unordered set of nodes {Ai} for which Ai=>X is true.    We suggest a  
way on how to write rule target so that it is applicable to a  
particular resource and its children.   That does not mean that all  
rules in a a policy need to be written that way and it does not  
require that evaluation strategy be aware about any "hierarhies".


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]