OASIS eXtensible Access Control Markup Language (XACML) TC

XACML 2.0 Hierarchical Resources, Draft 2.0

  • 1.  XACML 2.0 Hierarchical Resources, Draft 2.0

    Posted 05-25-2004 15:23
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: XACML 2.0 Hierarchical Resources, Draft 2.0


    I have produced a new revision of the proposed XACML 2.0 sections
    on Hierarchical Resources.  PDF and msword versions are attached.
    
    The revision has the following significant changes:
    
    1) Proposes a standard URI representation for hierarchical
       resources that are not XML documents.  This representation
       allows use of the anyURI-equal and anyURI-match functions
       where the path to a requested node is important.  This
       representation may be overridden by a resource-specific
       Profile.
    
       I am using Profile rather loosely.  It might be a formal XACML
       or industry Profile specification, or it might be a less
       formal agreement between policy writers and PEPs for use of a
       given type of resource.  We may want to provide a formal
       definition.  The important thing is that any resource must be
       represented in only one way, so that all policies intended to
       apply to that resource will apply.
    
       Note that an objection to this standard representation has
       been raised by Daniel, yet other members requested it and
       think it is important.  The TC will have to decide whether to
       include this representation or not.
    
    2) Specifies that multiple "resource-id" Attributes SHALL be
       specified where there is more than one normative
       representation of the identity of the requested resource.
       Where multiple "resource-id" Attributes exist in a Request
       evaluated by the PDP, they SHALL all refer to the same
       resource (i.e. this is not a way to request multiple resources
       in a single PDP evaluation).
    
       This is actually not just a hierarchical resources issue.  If
       a given resource has more than one normative representation,
       then all such representations must be supplied if all policies
       intended to apply to the resource are to apply.
    
    3) Continues to require "resource-ancestor" and "resource-parent"
       Attributes be available for both XML and non-XML resources.
    
    4) References the anyURI-equal and anyURI-match functions for use
       with standard URI representations of hierarchical resource
       nodes.
    
    Anne
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    

    XACML 2.0 Hierarchical Resources, Draft 2.0

    XACML 2.0 Hierarchical Resources, Draft 2.0



    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]