Title: RE: [xacml] Fundamental concepts in XACML Hi Anne, I agree; this is an excellent starter list (and John's early help here is greatly appreciated!). I might add a couple of extra items: - use of arbitrarily-specified, arbitrarily-complex, combining algorithms (e.g., "most recent takes precedence", or "policy from this issuer takes precedence", etc.; not just Boolean combinations) - hierarchical policies or, "distributed policy writers" (i.e., not just combinations of rules, but also combinations of other policies are possible). Carlisle. ---------- From: Anne Anderson[SMTP:
Anne.Anderson@Sun.com] Reply To:
Anne.Anderson@Sun.com Sent: Monday, June 17, 2002 10:53 AM To: XACML TC Subject: [xacml] Fundamental concepts in XACML For our "background" section, I thought it would be helpful for us to identify the fundamental concepts and mechanisms used in XACML. We can then identify the earlier work that developed those concepts and mechanisms. Here is a starter list: -Describing access request in terms of: Subject -> Action -> Resource/Object -Request including attributes of Subject and Resource/Object -Policy based on attributes of Subject and Resource/Object o Attribute-based rules o Identity-based rules -Rule based access control -Access control language -Boolean operations on access rules -Obligations as part of rules Any others? Any refinements to this list? John Erickson, in e-mail to the Rights Language TC, listed some early references to work on policies attached to resources. We can make use of his list for some items, I'm sure.
http://lists.oasis-open.org/archives/rights/200206/msg00029.html Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <
http://lists.oasis-open.org/ob/adm.pl >