[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Working toward solution to Hierarchical profile Issue
While it is true that xacml does not "need" to know anything about the internal structure of the identifiers, xacml at the same time "defines" functions such as anyURI-regexp-match and a host of others designed to deal with the internals structure of identifiers and capitalize on the value inherent in those value-added constructs to a basic string. They are designed to be used against data defined outside of the XACML specification. Key difference here is that XACML does not specify anything about them. Nobody should be forced to invent and maintain a resource categorization scheme just to be able to use normative hierarchical policies.
No information other then that is needed for policy evaluation so it is omitted on purpose. Details of the resource ontology supported by the external system are irrelevant to the PDP. Hierarchical naming schemes are really irrelevant for this discussion, because their value is primarily for use with Forests. They have little or no value in the more general DAG, so I can understand why you consider them unnecessary and extraneous. However, for a Forest they can have significant value. Naming schemes should not be a subject of discussion as XACML does not need to know anything about any naming schemes. They are part of an external system. We may create a profile that make use of a naming scheme - and we have done that for "XML type" hierarchy, but I think it should not be a part of the core XACML. Proper course would be to split it, and leave one for XML documents/URI and one for "ancestors" approach. Basically, I do not believe the public, in general, or even the highly technical public can be assumed to understand the distinction between Forest and DAG, at least not without a brief explanation similar to what I tried to do above, so I recommend including such information, possibly in the Glossary of any option. I have not had any troubles explaining the existing approach to both technical and non technical people so far. This discussion is the first case. Here are some options in addition to an explanatory glossary, I consider reasonable: Making an incompatible identifier change is probably not a good idea. P.S. On the side note, when we designed a protection scheme for XML data structures for what is now known as Oracle Data Service Integrator, we found it next to useless trying to rely on XML data structure for the purpose of policy inheritance. We chose to bind schema elements directly to protected resources that followed their own separate and more generic hierarchy. That allows a reuse of policies independent of transformation and re-factoring of the XML. That is similar to the issue of maintaining any hierarchical naming schemes for enterprise resources - you do want to decouple them from access policy rules.Hopefully, some other people will be able to objectively review this information in its consolidated form and provide input. Personally, I can't think of much more to say about it. Also, I think it has been a useful exercise, and I appreciate the time and effort that Daniel has expended to help reach the current level of understanding of the situation. I know I have learned a lot. I think we really should have more then a single profile. Existing one is a mess due to us presenting two concepts in the same doc. Core one based on a bag of ancestors, and separate profiles for popular naming schemes, such as URI (or rather IRI, to make l18n folks happy). Daniel |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]