Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

["Rich.Levinson" <rich.levinson@oracle.com>]

Hi Erik,

Ok, I agree your update was to WD 7, I misread something and was mistaken.

I am fine if you want to do the changes to WD 8 and make a WD 9. The 
only change is the addition of section 3.3.1 (also, please change the 
line in p-code that says: collectAncestorNodes() to 
collectAncestorNodes(int iRes) - I forgot the parameter). If you prefer, 
I can do the update myself based on your WD 8.

I pointed out in the notes following the p-code that the multi-parent 
(DAG) case can be handled with an enhancement.

I am considering doing an update w that enhancement, for full 
generality, however, what is currently there, in principle, 
theoretically could work with a DAG expanded to single parent 
hierarchies, but I do not want to incorporate that capability in that 
manner as it is overly verbose and could lead to unnecessary confusion.

The alternative is a slightly more sophisticated recursive algorithm to 
handle the DAG as a minimum width set of columns, where the min is equal 
to number of parents in the node(s) of the DAG that has the maximum 
number of parents compared to any other nodes in the DAG.

The fact that it is modeled as an array, imo, does not make it less 
general since any concrete hierarchy or DAG can be mapped to this array 
model. I chose this approach, because I consider it easy to understand: 
each row represents a resource, and the row contains entries for the 
hierarchies in which the resource can be a member. If the value in an 
element of the row is zero, the resource is not a member of that 
hierarchy. Basically, the row can be considered to contain the list of 
memberships in the organization's hierarchies that this particular 
resource participates in, where a membership is indicated by a non-zero 
value identifying the row number of the resource's parent in that 
hierarchy. For DAGs, row zero, will contain DAG-ids and all columns with 
the same DAG-id are are in the same DAG. If DAG-id is zero, then the 
column is a single parent hierarchy.

    Thanks,
    Rich


Erik Rissanen wrote:
> Hi Rich,
>
> I can do the wd 9 by merging in the things from your document into my 
> wd 8 which contains many changes based on the OASIS checklist. And my 
> wd 8 is based on the WD 7 posted by Hal and does have the changes made 
> by him.
>
> What I mean is that the pseudo code works only if one has ones 
> hierarchy stored as an array in that particular format. Another 
> problem with the pseudo code is that it assumes that each node only 
> has one parent, which is a limitation compared to what the profile can 
> apply to.
>
> And, in the end, I don't think pseudo code contributes much in this 
> case. I think it is clear enough already that the attribute 
> "ancestors" will contain ancestors, the attribute "parents" will 
> contain parents, and so on.
>
> Best regards,
> Erik
>
> Rich.Levinson wrote:
>> Hi Erik,
>>
>> I can issue a WD 9. However, I checked the .zip file and that has a 
>> WD 8 that was created based on WD 6, which means that the changes Hal 
>> made in WD 7 are missing. So, I will hold off until you advise about 
>> what is to happen to the WD 7 changes:
>> http://lists.oasis-open.org/archives/xacml/200904/msg00000.html
>>
>> On the subject of the p-code, I believe the array representation is 
>> fully general in that any set of hierarchies can be represented in 
>> the arrays as shown. i.e. there are N resources total and M 
>> hierarchies defined on the resources. Each column represents one 
>> hierarchy.
>>
>> As indicated the case of DAG can be handled by allocating as many 
>> columns as necessary so that the number of columns is equal to the 
>> width corresponding to the max # of parents any node in the DAG has. 
>> There is then room for the parents of any node so one then just lists 
>> all parents of each node in the DAG in slots within the row allocated 
>> to the DAG.
>>
>> This model is not intended to represent a suggested implementation, 
>> however, it is designed to be fully general to accommodate any 
>> collection of resources which is organized with any set of 
>> hierarchies or DAGs applied to it.
>>
>> i.e. it is not intended to be an example, it is a general model with 
>> which any example can be represented.
>>
>>    Thanks,
>>    Rich
>>
>>
>> Erik Rissanen wrote:
>>> Hi Rich and all,
>>>
>>> To avoid any confusion, I would just point out there are now two 
>>> different wd 8 out there. The other is in the zip file which I 
>>> posted yesterday. That one contains editorial cleanups.
>>>
>>> I think the pseudocode should be non-normative and considered an 
>>> example only because this pseudocode applies only to those cases 
>>> where the resource hierarchies are stored in arrays like that.
>>>
>>> Best regards,
>>> Erik
>>>
>>> rich.levinson@oracle.com wrote:
>>>> Proposed revision to Hierarchical Resource Profile, which adds section
>>>> 3.3.1, which contains p-code, which is asserted to represent the 
>>>> problem as
>>>> described in section 3.3 from WD 7. It is expected that by 
>>>> utilizing p-code
>>>> we can reduce possible ambiguities in the interpretation of the text
>>>> descriptions as has worked for other detailed XACML areas. Note: 
>>>> details
>>>> for DAG processing which would be enhancement within the proposed 
>>>> algorithm
>>>> have been sketched after the main algorithm, which could readily be 
>>>> added
>>>> if TC believes necessary.
>>>>
>>>>  -- Rich Levinson
>>>>
>>>> The document named Hierarchical Resource Profile WD 8
>>>> (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been 
>>>> submitted by
>>>> Rich Levinson to the OASIS eXtensible Access Control Markup Language
>>>> (XACML) TC document repository.
>>>>
>>>> Document Description:
>>>> XACML Hierarchical Resource Profile
>>>> View Document Details:
>>>> http://www.oasis-open.org/committees/document.php?document_id=31950
>>>>
>>>> Download Document:  
>>>> http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc 
>>>>
>>>>
>>>>
>>>> PLEASE NOTE:  If the above links do not work for you, your email 
>>>> application
>>>> may be breaking the link into two pieces.  You may be able to copy 
>>>> and paste
>>>> the entire link address into the address field of your web browser.
>>>>
>>>> -OASIS Open Administration
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php