43 messages in org.oasis-open.lists.xacmlRe: [xacml] Issue: Hierarchical profi...| From | Sent On | Attachments |
|---|---|---|
| Rich.Levinson | Jan 14, 2009 10:54 pm | |
| Daniel Engovatov | Jan 14, 2009 11:23 pm | |
| Rich.Levinson | Jan 15, 2009 6:42 am | |
| Erik Rissanen | Jan 15, 2009 6:52 am | |
| Rich.Levinson | Jan 15, 2009 8:36 am | |
| Daniel Engovatov | Jan 15, 2009 11:09 am | |
| Anil Saldhana | Jan 20, 2009 6:04 pm | |
| Hal Lockhart | Jan 21, 2009 8:48 am | |
| Rich.Levinson | Feb 16, 2009 4:22 pm | |
| Daniel Engovatov | Feb 16, 2009 4:48 pm | |
| Rich.Levinson | Feb 16, 2009 5:40 pm | |
| Daniel Engovatov | Feb 16, 2009 5:59 pm | |
| Rich.Levinson | Feb 16, 2009 8:05 pm | |
| Daniel Engovatov | Feb 16, 2009 8:39 pm | |
| Erik Rissanen | Feb 17, 2009 3:37 am | |
| Rich.Levinson | Feb 17, 2009 7:40 am | |
| Rich.Levinson | Feb 17, 2009 7:48 am | |
| Daniel Engovatov | Feb 17, 2009 11:19 am | |
| Rich.Levinson | Feb 17, 2009 8:33 pm | |
| Daniel Engovatov | Feb 18, 2009 10:15 am | |
| Seth Proctor | Feb 18, 2009 10:29 am | |
| Daniel Engovatov | Feb 18, 2009 11:02 am | |
| Rich.Levinson | Feb 18, 2009 12:37 pm | |
| Daniel Engovatov | Feb 18, 2009 12:51 pm | |
| Rich.Levinson | Feb 18, 2009 3:04 pm | |
| Daniel Engovatov | Feb 18, 2009 3:16 pm | |
| Rich.Levinson | Feb 18, 2009 6:54 pm | |
| Erik Rissanen | Feb 19, 2009 6:57 am | |
| Daniel Engovatov | Feb 19, 2009 10:59 am | |
| Rich.Levinson | Feb 19, 2009 8:02 pm | |
| Rich.Levinson | Feb 19, 2009 9:11 pm | |
| Erik Rissanen | Feb 20, 2009 1:34 am | |
| Erik Rissanen | Feb 20, 2009 1:41 am | |
| Rich.Levinson | Feb 20, 2009 2:12 am | |
| Erik Rissanen | Feb 20, 2009 2:30 am | |
| Rich.Levinson | Feb 20, 2009 8:14 am | |
| Rich.Levinson | Feb 20, 2009 8:55 am | |
| Daniel Engovatov | Feb 20, 2009 10:37 am | |
| Daniel Engovatov | Feb 20, 2009 10:37 am | |
| Rich.Levinson | Feb 20, 2009 10:46 am | |
| Daniel Engovatov | Feb 20, 2009 11:01 am | |
| Rich.Levinson | Feb 20, 2009 1:22 pm | |
| Daniel Engovatov | Feb 20, 2009 3:03 pm |
| Subject: | Re: [xacml] Issue: Hierarchical profile appears ambiguous and inconsistent | |
|---|---|---|
| From: | Daniel Engovatov (dan...@streamdynamics.com) | |
| Date: | Feb 16, 2009 5:59:25 pm | |
| List: | org.oasis-open.lists.xacml | |
For example, all the PCs in a company have serial numbers. When managers create policies, they have the physical resources in mind and may organize them hierarchically for various purposes. A department manager may label the PCs in his/her dept according to some hierarchical structure in the dept organization and assign policies accordingly. At the same time these PCs are company property and may be labeled independently by the IT dept in terms of who is responsible for maintenance on them.
If someone wants to take one of these PCs out of the building, maybe there is a policy that says even if the employee's manager says it is ok, the facilities manager must also approve before permission is granted. This can be modeled with a dept hierarchy and a facilities hierarchy, and there are rules within the hierarchy producing a result and policy combining between the 2 hierarchies that can resolve conflicts such as described above.
In the above example the /a1/b1/c1 might be the dept hierarchy and / a2/b2/c2 might be the facilities hierarchy.
There is no need for separate hierarchies here if the "remove from building" is a single access decision. In your example, let's "PC" be a resource, "DEPT" be a department, and "FACILITIES" be facilities. In this case resource-ancestors will be {"PC", "DEPT", "FACILITIES"} (or {"a1", "a2", "b1", "b2", "c"} ) There is no need for two hierarchies. That is the advantage of not being pidgeonholed into a single inheritance URI-like scheme.
It is also uniquely defined by a URI if a URI scheme has been applied to the same resources, since all the ancestors are readily identifiable within the URI.
That's a bit of a contorted way to represent a simple bag of strings.
Within the policies themselves, there would generally be no need to include this attribute except possibly for reporting purposes.
Then what exactly is the problem? Policy, as specified, can be evaluated deterministically. The mapping of physical entities into policy resources is outside of the scope of this profile. I do not see anything broken here.
Daniel;
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php