OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Hierarchical actions

Yes.  It sounds like it could simplify policy authoring.  I would be interested in seeing a more detailed proposal and comments from others.

-----Original Message-----
From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of remon.sinnema@emc.com
Sent: Friday, October 21, 2011 7:01 AM
To: xacml@lists.oasis-open.org
Subject: [xacml] Hierarchical actions


We support hierarchical subjects through the RBAC profile and hierarchical resources through the Hierarchical Resource profile. However, we don't support hierarchical actions yet. I mean support for systems where e.g. granting write ALWAYS implies granting read. For instance, EMC Documentum uses the following hierarchy for actions:

Delete	The user can delete the object
Write 	The user can write and update the object
Version 	The user can version the object
Relate 	The user can attach an annotation to the object
Read 		The user can read content but not update
Browse 	The user can look at property values but not at associated content

Writing XACML policies in such a system creates a lot of duplication, as each rule targeting Delete must also target Write, Version, Relate, Read, and Browse, and so on and on.

Is standardizing hierarchical actions of interest to anyone else?


To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]