OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Combining Algorithms & the Hierarchical Resource profile

Hi Ray,

I think your question may be a bit outside the scope of the hierarchical profile for the following reason.

You have defined 2 independent rules, Rule-A and Rule-D that identify separate resources.

Since when one traverses the hierarchy, one first encounters node A, it would seem that should take precedence before continuing the path to node D. i.e. if rejected at node A, you are done, if accepted then you get to try node D.

A lot depends on how you construct the Policy. If you used ordered rule-combining then you could place either rule first to achieve whichever effect you preferred.

The hierarchical profile is primarily about how to represent the nodes in a hierarchy and addresses a variety of common use cases. It builds on top of the Multiple profile and the core spec, so it is expected that one would use the node representations in that context.

If there is another specific context that you have in mind, I would be interested to learn more about it. The use case you have described does not seem to me to have any particular motivation except trying to define some precedence order for applying the Rules which I do not quite understand.

     Thanks,
     Rich


On 9/5/2011 10:24 AM, remon.sinnema@emc.com wrote:
> All,
>
> I see no reference to a combining algorithm (CA) in the Hierarchical Resource profile. Are policy writers expected to use the core CAs, or are they expected to write their own CAs specific to this profile?
>
> I expected there to be some CA that gives precedence to rules that match lower in the tree. For example, given the following tree of resources:
>
> A
> |
> +-- B
> |
> +-- C
>      |
>      +-- D
>
> And two rules that target resource-ancestor at A and D, respectively, I expected the one at D to take precedence for a request with resource-id=D, but I can find nothing in the profile that actually makes that happen. Am I missing something?
>
>
> Thanks,
> Ray
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]