OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] [policy-model]: group membership flatterning

  • 1.  Re: [xacml] [policy-model]: group membership flatterning

    Posted 10-15-2001 10:20
    > 3. pdp can maintain group hierarchy locally.
    
    by this, you mean in a practical sense, right? in other words, this
    device is acting as the PDP as well as the PxP? (sorry, it is early and
    the name of the reference/information entity isn't not coming to mind
    :o)
    
    or, are we assuming that the pdp is also a repository of referential
    data and not just decision making logic?
    
    phrased another way: how granular are we going to get with our model? it
    seems that there is significant variance on the playground and i don't
    think we have driven that stake into the ground yet.  or have we?
    
    b
    
    
    > 
    > Pdp can maintain a policy on how to compute group closure for various
    > subjects and resources.
    > This policy could specify combinations of 1, 2, and 3.
    > 
    > One policy could be that evidence from the request should be ignored,
    > and direct group membership should be taken from attribute
    > authorities,
    > and group hierarchy should be kept in the pdp.
    > In this case input from 1 is ignored and 2 is used in 3 for closure
    > computation.
    > 
    > Or we can take group membership from the evidence in the request only.
    > 
    > Allowing pdp to specify a policy for group membership computation
    > provides for the most
    > flexibility.
    > 
    > Simon Godik
    > Crosslogix