OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

RE: Resource sets and resource string semantics

  • 1.  RE: Resource sets and resource string semantics

    Posted 05-11-2001 13:43
    Re HP ... Aha!
    
    Re: "I think it is entirely appropriate to support authorization
    assertions that refer to all the files in a directory sub-tree." ABSOLUTELY
    
    Re: "I think it would be onerous to support arbitrary regular 
    expression based wildcards however." ONEROUSE YES ... but does this mean
    that regular expression based wild cards should not be suported in general.
    Consider the case of an XML document in which we wish to apply access
    controls to subcomponents of the document and the auth decision needs to be
    made based on the contents of the subcomponents themselves when compared to
    some attribute of the requestor. Since it would be even more onerous, and
    perhaps impossible, to determine, define, and dictate beforehand the
    structure of the XML files whose content is being controlled prior to
    defining a policy language that can be mapped to the files, then it would
    seem must support arbitrary regular expressions, at least for intrafile
    access. Onces one supports it for intrafile access, I can't see a reasonable
    reason not to support it for extrafile access. Granted, this could result in
    very hairy and conflicting policy statements on the part of policy managers;
    however, this is a user problem. It seems to regress into the old argument
    that the tool (in this case SAML and XACML) is by its nature neutral;
    however, if you want to kill yourslef with it you can.
    
    I would like to keep things simple; however, if we do so at the cost of
    people subsequently writing hacks to support more power and they put those
    hacks into applications, then we have even more difficult security problems
    to address.