Re: [xacml] Example of dag and forest used to manage collection of resources for comparison

[Daniel Engovatov <daniel@streamdynamics.com>]

On Feb 26, 2009, at 2:18 PM, Rich.Levinson wrote:

> Hi Daniel and TC,
>
> I am disappointed that this response does not directly address the  
> example. I consider it to be a very reasonable example. One such  
> use case would be a "farm" of sharable computers, and two  
> applications, each organized as a hierarchy of modules, that the  
> appl deployer configures on different machines, possibly because  
> those machines have resources needed by specific application modules.
>

I did address the example.   I have said that managing a "farm of  
sharable computers", or anything else of that nature should not be a  
part of XACML.   There is a multitude of possible structures that we  
could possibly address, but trying to standardize them is a folly.   
It should be left to an industry/vendor/domain specific profiles.

The only thing that matters for a simple, core hierarchical rules  
management system is an ability to specify a rule that apply to  
"descendants" of a resource and an ability to specify what resources  
are "descendants".

> This is typical enterprise use case with many large distributed  
> applications over world-wide corporate resources. Each application  
> needs to be managed independently of other applications, yet at the  
> same time must share the common corporate resources on which it is  
> run.
>

That is one of a myriad of possible such resource ontologies.    All  
of them can be mapped into a simple attribute based scheme that is  
needed to apply hierarchical rules.


> Finally, I want to emphasize one more time: I have not advocated  
> removing any of the DAG functionality that already exists in the  
> spec. If you carefully read the proposed modified spec, I think you  
> will see it is functionally unchanged. The changes are only to  
> distinguish the DAG from the forest and to fill in the missing  
> information to show how the forest can be used, if one chooses to  
> do so.
>

I am glad that you do not advocate removing DAG.    I am voicing my  
opinion about adding anything else.   There is no need for that and  
it brings complexity.

> The main difference between DAG and forest is that DAG can be used   
> to "merge" hierarchies into a single uniform structure which has no  
> memory of the original hierarchies. The forest "aggregates"  
> hierarchies into a single uniform structure that does have memory  
> of the original hierarchies and the capability of maintaining that  
> info thru adds moves and changes.
>
 From the point of view of PDP there are no hierarchies to merge.    
There is one hierarchy at a time that is pertinent to an  
evaluation.   Merging etc. is to be handled by an external system.


Daniel;