OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

WG: AW: [xacml] RE: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

  • 1.  WG: AW: [xacml] RE: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

    Posted 09-28-2009 10:35
    Hi Erik, all,
    
    in your mail
    (http://lists.oasis-open.org/archives/xacml/200909/msg00095.html) you are
    identifying three different use cases. Just to make sure that I understood
    your suggestions let me summarise how I understood your use cases and add
    some comments:
    
    Use case 1:
    You have one physical resource (a book) and a XML encoded metadata doc that
    describes the physical resource.
    You are further saying that XACML can handle this case well. Is this correct
    or do the same problems exist in this use case too?
    Let me extend your example to demonstrate that similar problems can occur:
    
    
    
     
    Now assume that you try to define a rule that denies access to a book if one
    of its authors is from the requestor’s family (i.e. the miller family) and
    born after 1978.
    Doesn’t this imply similar limitations as I described in
    http://lists.oasis-open.org/archives/xacml/200909/msg00081.html?
    
    Use case 2:
    From my point of view this is a special case of use case one where you have
    an access to multiple physical resources and thus multiple metadata xml docs
    describing these physical resources. I agree that this should be encoded
    through multiple resource elements as you proposed. So this is simply a
    convenient way of packing, in fact separate access requests (of type use
    case 1) into one xacml decision request. 
    
    Use case 3.
    Here the nodes of a XML document are the resources. The XML document is
    contained under a resource-category 


  • 2.  Re: WG: AW: [xacml] RE: XACML's limitations in the access controlfor XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictnessof xpath definition

    Posted 09-28-2009 15:08
    Hi Jan,
    
    See responses inline.
    
    Best regards,
    Erik
    
    Jan Herrmann wrote:
    > Hi Erik, all,
    >
    > in your mail
    > (http://lists.oasis-open.org/archives/xacml/200909/msg00095.html) you are
    > identifying three different use cases. Just to make sure that I understood
    > your suggestions let me summarise how I understood your use cases and add
    > some comments:
    >
    > Use case 1:
    > You have one physical resource (a book) and a XML encoded metadata doc that
    > describes the physical resource.
    > You are further saying that XACML can handle this case well. Is this correct
    > or do the same problems exist in this use case too?
    > Let me extend your example to demonstrate that similar problems can occur:
    >
    > 
    > 
    >  
    > Now assume that you try to define a rule that denies access to a book if one
    > of its authors is from the requestor’s family (i.e. the miller family) and
    > born after 1978.
    > Doesn’t this imply similar limitations as I described in
    > http://lists.oasis-open.org/archives/xacml/200909/msg00081.html?
    >   
    
    
    I am not sure. At the very least, the attribute selector with an offset 
    wouldn't help anything here, since it is a request for a single 
    resource, so the PDP would not iterate the resource-id over anything.
    
    I suspect that it is fairly easy to write an xpath expression which 
    selects a