OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] New core and multiple resource profile and hierarchical

On Mar 4, 2009, at 10:52 AM, Rich.Levinson wrote:

  • The reason I am concerned about this issue is that from a security perspective, it makes little sense to me to force commonly understood hierarchies, such as organization charts, geographic breakdowns of organization operations, whether within a building or around the world, to suddenly have policies that are intended only to apply to the resources within these specified domains, suddenly apply to resources outside of these domains.

It will not happen.   DAG describes what to apply precisely.    Nothing will be "suddenly applied".

  • Similarly, resources within these domains will find themselves subject to policies applied to resources outside of these domains.
    • For example, if I am a manager in the United States, and there is a policy that says employees in the United States may treat the 4th of July as a holiday, then anyone outside the United States who has any superior inside the United States will be subject to this policy.
It has no bearing to XACML.    What ever is the intended chain of command can be presented to PDP as a list of ancestors without any problem.   
    • Why? Because the resources are treated as a DAG. DAGs do not deal with resources individually, they only deal with subtrees.

That is an unfounded assumption.

This is an invalid assertion. I leave the profile unchanged, except for distinguishing the DAG and forest/polyarchy distinctions.
The DAG is inherently is multiple "overlapping" hierarchies that can be combined into a "single multiroot hierarchy" (see ref prev email) http://en.wikipedia.org/wiki/Directed_acyclic_graph#Properties

No, it is not.  You have created a definition of "hierarchy" that is not applicable and trying to shoehorn it into the profile.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]