[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Suggested discussion topic -- what are common practices in how access-control attributes are bound to resources?
Hi Martin,In Axiomatics deployments, attributes (metadata) largely come from databases. The PDP uses PIPs to retrieve those attributes via SQL calls. For instance:
- Policy: doctors can view a medical record if the record's assigned physician == the requestor id.
- Attributes used
- requestor id - provided by the PEP
- medical record id - provided by the PEP
- action id - provided by the PEP
- medical record assigned physician - retrieved from the record database using SELECT assignedPhysician FROM records WHERE recordId = ?That is one of the most common ways.Another option - specific to Windows Server 2012 - is to have the attribute metadata directly assigned to the documents (files / folders) as classification information. MS Windows allows for that. There's a video here that explains how that works.Hope this helps,David.--On Wed, Nov 11, 2015 at 9:52 PM, Martin Smith <firstname.lastname@example.org> wrote:My question is: in current practice today with current deployed products, how are resource metadata bound to resources (documents, etc.) Interested in access-control related resource attributes of course (vs search, etc metadata.) Also, how do PDP's (or PIP's) find these attributes?Thanks,Martin--David Brossard
VP of Customer Relations
+46(0)760 25 85 75+1 312 774-9163