OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Resource-location

Hi John and David,

Fwiw, the original defn is in this email:
 (resource location obtained by removing simple-file-name and xpath attributes from resource-uri.
 E.g. http://org/A00.xml#xpointer(/employee/name) has a resource-location of "http://org"; "
Another "passing" comment was made here:
"I believe some policies will refer to resource-id,
 and some others might refer to resource-category,
 or resource-location,
 or some other hypothetical attribute of the resource. "
In general, imo, a "resource-id" probably should be a URI that simply
"identifies" the resource, and "resource-location" should probably
be the URL where the resource can be found. In practice, I think
URL is often "overloaded" to meet both the id and location properties
of a resource, however, since "locations" often change, it seems that
a longer term strategy would be to distinguish id and location a little
better, although I don't think this is the job of xacml, except, possibly
in the sense of advising best practices for policy defns.


On 8/7/2013 12:45 PM, Tolbert, John W wrote:

Hi David,


That’s an interesting use case you wrote below. Would you use string for the data-type in that case?  I was thinking that the ipAddress, dnsName, and anyURI data types would work well for this attribute too.


Thanks for the info. 


From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Wednesday, August 07, 2013 8:47 AM
To: Tolbert, John W
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] Resource-location


Hi John,


It sometimes makes sense to define where a resource is located. Imagine a purchase order (PO). A PO would have been issued in a given location e.g. Texas. You could then write a rule as follows:


a user can view a purchase order if and only if user.location==resource.location.


You can then use urn:oasis:names:tc:xacml:1.0:resource:resource-location to implement the resource location attribute. We have quite a few location-based access control use cases here at Axiomatics that are like that.





On Wed, Aug 7, 2013 at 5:35 PM, Tolbert, John W <john.w.tolbert@boeing.com> wrote:



Questions for those who have created policies with resource attributes (from section 10.2.6 “Identifiers” in the core, p.97):


Has anyone used the following identifier, and if so, for what purpose?:



I am imagining a use case where one might want to direct/restrict certain user groups to specific network locations or environments.  Examples may include production / pre-production / development, or different views of the same resource for different user groups.



David Brossard, M.Eng, SCEA, CSTP
Product Manager
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden

Thanks, Rich

Rich Levinson | Internet Standards Security Architect
Mobile: +1 978 5055017
Oracle Identity Management
45 Network Drive | Burlington, Massachusetts 01803

            Oracle Oracle is committed to developing practices and products that help protect the environment

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]