Hi John and David,|
Fwiw, the original defn is in this email:
Another "passing" comment was made here:
(resource location obtained by removing
simple-file-name and xpath attributes from resource-uri.
has a resource-location of
"I believe some policies will refer to resource-id,
In general, imo, a "resource-id" probably should be a URI that
others might refer to resource-category,
some other hypothetical attribute of the resource.
"identifies" the resource, and "resource-location" should probably
be the URL where the resource can be found. In practice, I think
URL is often "overloaded" to meet both the id and location
of a resource, however, since "locations" often change, it seems
a longer term strategy would be to distinguish id and location a
better, although I don't think this is the job of xacml, except,
in the sense of advising best practices for policy defns.
On 8/7/2013 12:45 PM, Tolbert, John W
an interesting use case you wrote below. Would you use
string for the data-type in that case? I was thinking that
the ipAddress, dnsName, and anyURI data types would work
well for this attribute too.
for the info.
It sometimes makes sense to define
where a resource is located. Imagine a purchase order
(PO). A PO would have been issued in a given location e.g.
Texas. You could then write a rule as follows:
a user can view a purchase order if and
only if user.location==resource.location.
You can then use urn:oasis:names:tc:xacml:1.0:resource:resource-location
to implement the resource location attribute. We have
quite a few location-based access control use cases here
at Axiomatics that are like that.
On Wed, Aug 7, 2013 at 5:35 PM,
Tolbert, John W <email@example.com>
for those who have created policies with resource
attributes (from section 10.2.6 “Identifiers” in the
used the following identifier, and if so, for what
imagining a use case where one might want to
direct/restrict certain user groups to specific
network locations or environments. Examples may
include production / pre-production / development,
or different views of the same resource for
different user groups.
David Brossard, M.Eng, SCEA, CSTP
+46(0)760 25 85 75
S-111 30 Stockholm, Sweden
Rich Levinson | Internet Standards Security
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803
Oracle is committed to developing practices
and products that help protect the environment