[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Hierarchical actions
Yes. It sounds like it could simplify policy authoring. I would be interested in seeing a more detailed proposal and comments from others. -----Original Message----- From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of remon.sinnema@emc.com Sent: Friday, October 21, 2011 7:01 AM To: xacml@lists.oasis-open.org Subject: [xacml] Hierarchical actions TC, We support hierarchical subjects through the RBAC profile and hierarchical resources through the Hierarchical Resource profile. However, we don't support hierarchical actions yet. I mean support for systems where e.g. granting write ALWAYS implies granting read. For instance, EMC Documentum uses the following hierarchy for actions: Delete The user can delete the object Write The user can write and update the object Version The user can version the object Relate The user can attach an annotation to the object Read The user can read content but not update Browse The user can look at property values but not at associated content Writing XACML policies in such a system creates a lot of duplication, as each rule targeting Delete must also target Write, Version, Relate, Read, and Browse, and so on and on. Is standardizing hierarchical actions of interest to anyone else? Thanks, Ray --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]