follow-up on yesterday's "decision on C" vs B[i] discussion

xacml message

Subject: follow-up on yesterday's "decision on C" vs B[i] discussion

From: "Rich.Levinson" <rich.levinson@oracle.com>

To: xacml <xacml@lists.oasis-open.org>

Date: Wed, 09 Dec 2009 12:13:38 -0500

-------- Original Message --------

Subject:	RE: will be late, plus have questions
Date:	Wed, 9 Dec 2009 10:39:52 -0600
From:	Tyson, Paul H <PTyson@bellhelicopter.textron.com>
To:	Rich.Levinson <rich.levinson@oracle.com>, Harold Lockhart <hal.lockhart@oracle.com>
CC:	Erik Rissanen <erik@axiomatics.com>, Bill Parducci (E-mail) <bill@parducci.net>, Jan Herrmann <herrmanj@in.tum.de>, Dilli Dorai <Dilli.Dorai@Sun.COM>, <john.w.tolbert@boeing.com>, Staggs, David (SAIC) <David.Staggs@va.gov>, Sridhar Muppidi <muppidi@us.ibm.com>
References:	<2e47e7f6-24d4-440c-8bfa-e26a8d4c3fc5@default> <4B1FCC7B.8050701@oracle.com>

It is a new class of problem. I can see a few different approaches, but they should all be considered after 3.0.

1. Add a "decision-combining algorithm" mechanism, whereby the Request can ask for a single decision on one resource, based on several decisions about other resources. (It is coincidental and irrelevant that in this case, the sub-decisions are about children of the main resource.)

2. Implement a variable-binding mechanism to allow values from the request context to be passed to the xpath evaluator.

3. Generalize/modify access-permitted function to handle this case. This might be the place to put decision-combining algorithm.

4. Specify an ordered aggregate data type ("List") and possibly some additional functions (such as lisp "apply"). This would allow policy writer to use ordered lists of Building/Owner and Building/Price nodes to evaluate the properties of each Building.

I believe the access-permitted function has the greatest possibilities, not only for this use case but for many others. I'm sure there are implementation challenges in recursive policy evaluation, though.

--Paul

From: Rich.Levinson [mailto:rich.levinson@oracle.com]
Sent: Wednesday, December 09, 2009 10:13
To: Harold Lockhart
Cc: Erik Rissanen; Bill Parducci (E-mail); Jan Herrmann; Dilli Dorai; john.w.tolbert@boeing.com; Staggs, David (SAIC); Sridhar Muppidi; Tyson, Paul H
Subject: will be late, plus have questions

Hi All,

My call ran over expectation; will be in around 8:45-9:00.
(note: we need email for Nau)

I have couple questions re: yesterday, specifically:

does the attr selector offset "solve" the decision on C issue, or is it just for the individual requests, B[i]

re: decision on C issue: is this inherently "unsolvable" within xacml as formulated by depending on multiple decisions, whereas xacml is a single decision arch? if so, does it open case for new class of functionality such as combining algorithm for multi-decision scenarios?

Thanks,
Rich