OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] Hierarchical match

  • 1.  [xacml] Hierarchical match

    Posted 07-08-2004 07:02
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: [xacml] Hierarchical match


    
    
    
    
    In the last TC call, I suggested to use "*" and "**" notations for matching
    hierarchical resource.
    
    Examples:
    ex1: /p1/p2
    ex2: /p1/p2/*
    ex3: /p1/p2/**
    
    /p1/p2 matches /p1/p2.
    /p1/p2/* matches all the immediate children of /p1/p2.
    /p1/p2/** matches all the descendants of /p1/p2.
    
    Therefore,
    /p1/p2/* matches /p1/p2/p3 and /p1/p2/p4 but fails to match /p1/p2 and
    /p1/p2/p3/p4.
    /p1/p2/** matches /p1/p2/p3 and /p1/p2/p3/p4 but fails to match /p1/p2.
    
    The exact semantics of the above notation is represented as the equivalent
    regular expression as follows:
    
    /p1/p2       ==> ^\/p1\/p2$
    /p1/p2/*   ==> ^\/p1\/p2\/[^\/]+$
    /p1/p2/** ==> ^\/p1\/p2\/.+$
    
    - Rational:
    Access control policy that works on hierarchy often requires exact match,
    immediate children match, and subtree match. The above notation corresponds
    to each pattern. If regular expression is used, such intention would become
    implicit.
    
    Best,
    Michiharu
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]