43 messages in org.oasis-open.lists.xacmlRe: [xacml] Issue: Hierarchical profi...| From | Sent On | Attachments |
|---|---|---|
| Rich.Levinson | Jan 14, 2009 10:54 pm | |
| Daniel Engovatov | Jan 14, 2009 11:23 pm | |
| Rich.Levinson | Jan 15, 2009 6:42 am | |
| Erik Rissanen | Jan 15, 2009 6:52 am | |
| Rich.Levinson | Jan 15, 2009 8:36 am | |
| Daniel Engovatov | Jan 15, 2009 11:09 am | |
| Anil Saldhana | Jan 20, 2009 6:04 pm | |
| Hal Lockhart | Jan 21, 2009 8:48 am | |
| Rich.Levinson | Feb 16, 2009 4:22 pm | |
| Daniel Engovatov | Feb 16, 2009 4:48 pm | |
| Rich.Levinson | Feb 16, 2009 5:40 pm | |
| Daniel Engovatov | Feb 16, 2009 5:59 pm | |
| Rich.Levinson | Feb 16, 2009 8:05 pm | |
| Daniel Engovatov | Feb 16, 2009 8:39 pm | |
| Erik Rissanen | Feb 17, 2009 3:37 am | |
| Rich.Levinson | Feb 17, 2009 7:40 am | |
| Rich.Levinson | Feb 17, 2009 7:48 am | |
| Daniel Engovatov | Feb 17, 2009 11:19 am | |
| Rich.Levinson | Feb 17, 2009 8:33 pm | |
| Daniel Engovatov | Feb 18, 2009 10:15 am | |
| Seth Proctor | Feb 18, 2009 10:29 am | |
| Daniel Engovatov | Feb 18, 2009 11:02 am | |
| Rich.Levinson | Feb 18, 2009 12:37 pm | |
| Daniel Engovatov | Feb 18, 2009 12:51 pm | |
| Rich.Levinson | Feb 18, 2009 3:04 pm | |
| Daniel Engovatov | Feb 18, 2009 3:16 pm | |
| Rich.Levinson | Feb 18, 2009 6:54 pm | |
| Erik Rissanen | Feb 19, 2009 6:57 am | |
| Daniel Engovatov | Feb 19, 2009 10:59 am | |
| Rich.Levinson | Feb 19, 2009 8:02 pm | |
| Rich.Levinson | Feb 19, 2009 9:11 pm | |
| Erik Rissanen | Feb 20, 2009 1:34 am | |
| Erik Rissanen | Feb 20, 2009 1:41 am | |
| Rich.Levinson | Feb 20, 2009 2:12 am | |
| Erik Rissanen | Feb 20, 2009 2:30 am | |
| Rich.Levinson | Feb 20, 2009 8:14 am | |
| Rich.Levinson | Feb 20, 2009 8:55 am | |
| Daniel Engovatov | Feb 20, 2009 10:37 am | |
| Daniel Engovatov | Feb 20, 2009 10:37 am | |
| Rich.Levinson | Feb 20, 2009 10:46 am | |
| Daniel Engovatov | Feb 20, 2009 11:01 am | |
| Rich.Levinson | Feb 20, 2009 1:22 pm | |
| Daniel Engovatov | Feb 20, 2009 3:03 pm |
| Subject: | Re: [xacml] Issue: Hierarchical profile appears ambiguous and inconsistent | |
|---|---|---|
| From: | Erik Rissanen (er...@axiomatics.com) | |
| Date: | Jan 15, 2009 6:52:29 am | |
| List: | org.oasis-open.lists.xacml | |
Rich.Levinson wrote:
I am trying to understand what policies are supposed to do with the definitions in the spec. i.e. it is the spec that says in section 3.2 that all the parent and ancestor nodes need to be assembled in the request context. What "policy evaluation" are you referring to? Are you saying what I indicated in original email that a policy does not need to know anything about hierarchies that the resource-id node does not belong to?
Hi Rich,
I don't understand all the questions you have, but here's the basic approach of the profile in a simple example.
Assume the following simple hierarchy:
A <- B <- C
If someone requests access to C, the request will contain these attributes. this is from the top of my head, so it might be slightly inaccurate and I might have forgotten some of the attributes, but hopefully you get the idea.
<Resource> resource-id = C parent-id = B self-or-ancestor = C self-or-ancestor = B self-or-ancestor = A </Resource>
All these attributes are there so it is possible to write policies which apply to parts of the hierarchy, not just individual nodes.
For example:
<Target> resource-id = C </Target>
Matches only the resource C, nothing else.
<Target> parent-id = B </Target>
matches the immediate children of B. In the example this is C, but if C had a sibling, it would also match.
<Target> ancestor-or-self = B </Target>
Matches B or any node below B. In this case also C.
Best regards, Erik
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php