MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
On 15 July, Bill Parducci writes: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
> Anne Anderson wrote:
> > What if the policy also contains a Deny rule denying everyone
> > except the patient access to the <Diagnosis> node alone? In that
> > case, if the request comes in asking for the entire document, the
> > Deny rule that applies to requests for that individual node would
> > not apply, and access to the entire document (including the
> > <Diagnosis> node) would be granted to the physician or an
> > administrator.
>
> that comes back to my previous point: i think it is unlikely that there
> will be field level granularity of access policy without equivalent
> enforcement. it seems illogical to me that you would have a policy
> writer exclude field level information when enforcement is document
> level. the net effect is the same when applied, it is simply a
> multiplication of rule maintenance.
>
> example:
>
> consider a document, X, with three components: A, B & C
>
> IF the access control mechanism is at the *document* level, then:
>
> deny bill to see X:B
>
> is equivalent to
>
> deny bill X
>
> am i missing something?
>
> the only place that i can see that this will be of value is if there are
> resources that are protected *both* by policies that allow field level
> access as well as whole document access (*enforcement* is different). is
> this the case we are trying to solve?
Yes.
> if so, i personally see that as unlikely. my vote is for D: a hierarchy
> is a special collection of resources that we operate on individually; i
> suggest that we do not operate on the container itself.
That is what the Profile currently specifies. It is always
possible for a given environment to agree between Policy
Authorities and PEPs that certain resources will be treated
differently.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]