Re: [xdi] Link Contract Pattern

[Drummond Reed <drummond.reed@xdi.org>]

On Fri, Jun 10, 2011 at 1:35 PM, Michael Schwartz <mike@gluu.org> wrote:

Drummond,

Per our converstation, it would be convenient to be able to say anyone assigned to this link contract has the right to send messages, which could be done with variables:

 ($1)
 ($1)$msg
 ($1)/$/(=abc!1$do/$())

Can you update the Link Contract Pattern with this change?

Done and attached. I've also uploaded it to the OASIS Kavi system, but due to the PDF bug it may be a few days before you can access it.
 

Also, an example of $not$get would be nice. I think this is needed immediately. For example: share my /pictures folder, but don't share pictures042.jpg and pictures043.jpg

I simply did not have enough room to add this to the diagram. We need to add another diagram to illustrate it. But it's very straightforward - the positive permission (e.g., $get) points anywhere higher in the tree, and the negative permission (e.g., $not$get) points anywhere lower. Authorization code needs to walk the tree up from the target node. The rule is that the closest permission wins. In other words, if the target node is 3 nodes deep, and doesn't have any permission directly, and the parent node 2 nodes deep has a $get permission, then allow the $get on the 3rd level node. But if the parent node 2 levels deep has $not$get, then deny the $get on the 3rd level node.

Obviously it should be an error if there are conflicting permissions ($get and $not$get) on the same node.

Hope this helps,

=Drummond
 

Thx!!!

Mike



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

xdi-graph-patterns-2011-06-15.pdf