[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Combining Algorithms & the Hierarchical Resource profile
Rich, > -----Original Message----- > From: rich levinson [mailto:rich.levinson@oracle.com] > Sent: Tuesday, September 06, 2011 3:04 PM > To: Sinnema, Remon > Cc: xacml@lists.oasis-open.org > Subject: Re: [xacml] Combining Algorithms & the Hierarchical Resource > profile > > I think what you are describing is the difference between default = > deny (everything denied unless permitted) vs default = permit > (everything permitted unless denied). > > This can usually be accomplished by having permit-overrides combining > alg with a final rule of deny (default=deny) vs having a deny-overrides > combining alg with a final rule of permit (default=permit). > > This appears to me to be an orthogonal property wrt hierarchical > traversal. Yes, everything can be implemented with the current combining algorithms by creating a hierarchy of policies. I was hoping to avoid duplicating the resource hierarchy in the policies: I have a gut feeling there is some coupling there that maybe shouldn't exist, which will make maintenance of policies harder than necessary. Thanks, Ray
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]