Re HP ... Aha!
Re: "I think it is entirely appropriate to support authorization
assertions that refer to all the files in a directory sub-tree." ABSOLUTELY
Re: "I think it would be onerous to support arbitrary regular
expression based wildcards however." ONEROUSE YES ... but does this mean
that regular expression based wild cards should not be suported in general.
Consider the case of an XML document in which we wish to apply access
controls to subcomponents of the document and the auth decision needs to be
made based on the contents of the subcomponents themselves when compared to
some attribute of the requestor. Since it would be even more onerous, and
perhaps impossible, to determine, define, and dictate beforehand the
structure of the XML files whose content is being controlled prior to
defining a policy language that can be mapped to the files, then it would
seem must support arbitrary regular expressions, at least for intrafile
access. Onces one supports it for intrafile access, I can't see a reasonable
reason not to support it for extrafile access. Granted, this could result in
very hairy and conflicting policy statements on the part of policy managers;
however, this is a user problem. It seems to regress into the old argument
that the tool (in this case SAML and XACML) is by its nature neutral;
however, if you want to kill yourslef with it you can.
I would like to keep things simple; however, if we do so at the cost of
people subsequently writing hacks to support more power and they put those
hacks into applications, then we have even more difficult security problems
to address.