OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Example of dag and forest used to manage collection of resources for comparison

On Feb 26, 2009, at 2:18 PM, Rich.Levinson wrote:

> Hi Daniel and TC,
> I am disappointed that this response does not directly address the  
> example. I consider it to be a very reasonable example. One such  
> use case would be a "farm" of sharable computers, and two  
> applications, each organized as a hierarchy of modules, that the  
> appl deployer configures on different machines, possibly because  
> those machines have resources needed by specific application modules.

I did address the example.   I have said that managing a "farm of  
sharable computers", or anything else of that nature should not be a  
part of XACML.   There is a multitude of possible structures that we  
could possibly address, but trying to standardize them is a folly.   
It should be left to an industry/vendor/domain specific profiles.

The only thing that matters for a simple, core hierarchical rules  
management system is an ability to specify a rule that apply to  
"descendants" of a resource and an ability to specify what resources  
are "descendants".

> This is typical enterprise use case with many large distributed  
> applications over world-wide corporate resources. Each application  
> needs to be managed independently of other applications, yet at the  
> same time must share the common corporate resources on which it is  
> run.

That is one of a myriad of possible such resource ontologies.    All  
of them can be mapped into a simple attribute based scheme that is  
needed to apply hierarchical rules.

> Finally, I want to emphasize one more time: I have not advocated  
> removing any of the DAG functionality that already exists in the  
> spec. If you carefully read the proposed modified spec, I think you  
> will see it is functionally unchanged. The changes are only to  
> distinguish the DAG from the forest and to fill in the missing  
> information to show how the forest can be used, if one chooses to  
> do so.

I am glad that you do not advocate removing DAG.    I am voicing my  
opinion about adding anything else.   There is no need for that and  
it brings complexity.

> The main difference between DAG and forest is that DAG can be used   
> to "merge" hierarchies into a single uniform structure which has no  
> memory of the original hierarchies. The forest "aggregates"  
> hierarchies into a single uniform structure that does have memory  
> of the original hierarchies and the capability of maintaining that  
> info thru adds moves and changes.
 From the point of view of PDP there are no hierarchies to merge.    
There is one hierarchy at a time that is pertinent to an  
evaluation.   Merging etc. is to be handled by an external system.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]