OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Resource-location


Hi John and David,

Fwiw, the original defn is in this email:
  https://lists.oasis-open.org/archives/xacml/200208/msg00000.html
"BASE:resource:resource-location
 (resource location obtained by removing simple-file-name and xpath attributes from resource-uri.
 E.g. http://org/A00.xml#xpointer(/employee/name) has a resource-location of "http://org"; "
Another "passing" comment was made here:
  https://lists.oasis-open.org/archives/xacml/200209/msg00009.html
"I believe some policies will refer to resource-id,
 and some others might refer to resource-category,
 or resource-location,
 or some other hypothetical attribute of the resource. "
In general, imo, a "resource-id" probably should be a URI that simply
"identifies" the resource, and "resource-location" should probably
be the URL where the resource can be found. In practice, I think
URL is often "overloaded" to meet both the id and location properties
of a resource, however, since "locations" often change, it seems that
a longer term strategy would be to distinguish id and location a little
better, although I don't think this is the job of xacml, except, possibly
in the sense of advising best practices for policy defns.

    Thanks,
    Rich

On 8/7/2013 12:45 PM, Tolbert, John W wrote:

Hi David,

 

That’s an interesting use case you wrote below. Would you use string for the data-type in that case?  I was thinking that the ipAddress, dnsName, and anyURI data types would work well for this attribute too.

 

Thanks for the info. 

 

From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Wednesday, August 07, 2013 8:47 AM
To: Tolbert, John W
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] Resource-location

 

Hi John,

 

It sometimes makes sense to define where a resource is located. Imagine a purchase order (PO). A PO would have been issued in a given location e.g. Texas. You could then write a rule as follows:

 

a user can view a purchase order if and only if user.location==resource.location.

 

You can then use urn:oasis:names:tc:xacml:1.0:resource:resource-location to implement the resource location attribute. We have quite a few location-based access control use cases here at Axiomatics that are like that.

 

Cheers

David. 

 

On Wed, Aug 7, 2013 at 5:35 PM, Tolbert, John W <john.w.tolbert@boeing.com> wrote:

Hello,

 

Questions for those who have created policies with resource attributes (from section 10.2.6 “Identifiers” in the core, p.97):

 

Has anyone used the following identifier, and if so, for what purpose?:

urn:oasis:names:tc:xacml:1.0:resource:resource-location

 

I am imagining a use case where one might want to direct/restrict certain user groups to specific network locations or environments.  Examples may include production / pre-production / development, or different views of the same resource for different user groups.

 



 

--
David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics


--
Thanks, Rich

Oracle
Rich Levinson | Internet Standards Security Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803

Green
            Oracle Oracle is committed to developing practices and products that help protect the environment



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]