OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] RE: Hierarchical actions


Do people on the TC feel that this is something worth standardizing in a profile?”

 

If you mean a general approach for dealing with ontologies and semantic web technologies, I agree.  I have over the past two years mentioned  some possibilities in this direction.  If XACML is to remain a viable choice for implementing and executing rules, it must provide a standardized semantic web aspect of some sort.  See my preliminary thoughts at http://wiki.oasis-open.org/xacml/XACMLandRDF.

 

Regards,

--Paul

 

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of remon.sinnema@emc.com
Sent: Monday, 28 November, 2011 10:03
To: xacml@lists.oasis-open.org
Subject: [xacml] RE: Hierarchical actions

 

All,

 

Thanks for the feedback on this issue.

 

I have collected the following proposals:

(1) model the action hierarchy with enums

(2) model the action hierarchy in an ontology and extend the policy/request with semantic technology

(3) model the action hierarchy like the resource hierarchy with an action-ancestor-or-self attribute retrieved by a PIP

 

My criteria for evaluating these proposals are (in order of importance):

(1) Ease of policy authoring

(2) Possibilities for performance optimizations

(3) Ease of implementation

 

My scoring of the proposals on these criteria is as follows:

 

 

Enums

Ontology

Action-ancestor-or-self

Authoring

Author must use integers instead of action names

Business as usual

Author must use different attribute when there is a hierarchy

Performance

Functions other than type-equals may be harder to optimize in some implementations

Normal

Slightly slower due to PIP lookup

Implementation

Trivial

Doable

Trivial

 

Based on these scores the semantic approach looks the most promising to me and I will start implementing it in our PDP.

 

Do people on the TC feel that this is something worth standardizing in a profile?

 

 

Thanks,

Ray

 

> -----Original Message-----

> From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On

> Behalf Of remon.sinnema@emc.com

> Sent: Friday, October 21, 2011 4:01 PM

> To: xacml@lists.oasis-open.org

> Subject: [xacml] Hierarchical actions

>

> TC,

>

> We support hierarchical subjects through the RBAC profile and

> hierarchical resources through the Hierarchical Resource profile.

> However, we don't support hierarchical actions yet. I mean support for

> systems where e.g. granting write ALWAYS implies granting read. For

> instance, EMC Documentum uses the following hierarchy for actions:

>

> Delete    The user can delete the object

> Write     The user can write and update the object

> Version   The user can version the object

> Relate    The user can attach an annotation to the object

> Read            The user can read content but not update

> Browse    The user can look at property values but not at associated

> content

>

> Writing XACML policies in such a system creates a lot of duplication,

> as each rule targeting Delete must also target Write, Version, Relate,

> Read, and Browse, and so on and on.

>

> Is standardizing hierarchical actions of interest to anyone else?

>

>

> Thanks,

> Ray

>

>

> ---------------------------------------------------------------------

> To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org

> For additional commands, e-mail: xacml-help@lists.oasis-open.org

>

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]