OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) uploaded

    Posted 04-05-2009 22:31
    Proposed revision to Hierarchical Resource Profile, which adds section
    3.3.1, which contains p-code, which is asserted to represent the problem as
    described in section 3.3 from WD 7. It is expected that by utilizing p-code
    we can reduce possible ambiguities in the interpretation of the text
    descriptions as has worked for other detailed XACML areas. Note: details
    for DAG processing which would be enhancement within the proposed algorithm
    have been sketched after the main algorithm, which could readily be added
    if TC believes necessary.
    
     -- Rich Levinson
    
    The document named Hierarchical Resource Profile WD 8
    (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been submitted by
    Rich Levinson to the OASIS eXtensible Access Control Markup Language
    (XACML) TC document repository.
    
    Document Description:
    XACML Hierarchical Resource Profile 
    
    View Document Details:
    http://www.oasis-open.org/committees/document.php?document_id=31950
    
    Download Document:  
    http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc
    
    
    PLEASE NOTE:  If the above links do not work for you, your email application
    may be breaking the link into two pieces.  You may be able to copy and paste
    the entire link address into the address field of your web browser.
    
    -OASIS Open Administration
    


  • 2.  Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

    Posted 04-06-2009 04:23
    Hi Rich and all,
    
    To avoid any confusion, I would just point out there are now two 
    different wd 8 out there. The other is in the zip file which I posted 
    yesterday. That one contains editorial cleanups.
    
    I think the pseudocode should be non-normative and considered an example 
    only because this pseudocode applies only to those cases where the 
    resource hierarchies are stored in arrays like that.
    
    Best regards,
    Erik
    
    rich.levinson@oracle.com wrote:
    > Proposed revision to Hierarchical Resource Profile, which adds section
    > 3.3.1, which contains p-code, which is asserted to represent the problem as
    > described in section 3.3 from WD 7. It is expected that by utilizing p-code
    > we can reduce possible ambiguities in the interpretation of the text
    > descriptions as has worked for other detailed XACML areas. Note: details
    > for DAG processing which would be enhancement within the proposed algorithm
    > have been sketched after the main algorithm, which could readily be added
    > if TC believes necessary.
    > 
    >  -- Rich Levinson
    > 
    > The document named Hierarchical Resource Profile WD 8
    > (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been submitted by
    > Rich Levinson to the OASIS eXtensible Access Control Markup Language
    > (XACML) TC document repository.
    > 
    > Document Description:
    > XACML Hierarchical Resource Profile 
    > 
    > View Document Details:
    > http://www.oasis-open.org/committees/document.php?document_id=31950
    > 
    > Download Document:  
    > http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc
    > 
    > 
    > PLEASE NOTE:  If the above links do not work for you, your email application
    > may be breaking the link into two pieces.  You may be able to copy and paste
    > the entire link address into the address field of your web browser.
    > 
    > -OASIS Open Administration
    
    


  • 3.  Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

    Posted 04-06-2009 04:48
    Hi Erik,
    
    I can issue a WD 9. However, I checked the .zip file and that has a WD 8 
    that was created based on WD 6, which means that the changes Hal made in 
    WD 7 are missing. So, I will hold off until you advise about what is to 
    happen to the WD 7 changes:
    http://lists.oasis-open.org/archives/xacml/200904/msg00000.html
    
    On the subject of the p-code, I believe the array representation is 
    fully general in that any set of hierarchies can be represented in the 
    arrays as shown. i.e. there are N resources total and M hierarchies 
    defined on the resources. Each column represents one hierarchy.
    
    As indicated the case of DAG can be handled by allocating as many 
    columns as necessary so that the number of columns is equal to the width 
    corresponding to the max # of parents any node in the DAG has. There is 
    then room for the parents of any node so one then just lists all parents 
    of each node in the DAG in slots within the row allocated to the DAG.
    
    This model is not intended to represent a suggested implementation, 
    however, it is designed to be fully general to accommodate any 
    collection of resources which is organized with any set of hierarchies 
    or DAGs applied to it.
    
    i.e. it is not intended to be an example, it is a general model with 
    which any example can be represented.
    
        Thanks,
        Rich
    
    
    Erik Rissanen wrote:
    > Hi Rich and all,
    >
    > To avoid any confusion, I would just point out there are now two 
    > different wd 8 out there. The other is in the zip file which I posted 
    > yesterday. That one contains editorial cleanups.
    >
    > I think the pseudocode should be non-normative and considered an 
    > example only because this pseudocode applies only to those cases where 
    > the resource hierarchies are stored in arrays like that.
    >
    > Best regards,
    > Erik
    >
    > rich.levinson@oracle.com wrote:
    >> Proposed revision to Hierarchical Resource Profile, which adds section
    >> 3.3.1, which contains p-code, which is asserted to represent the 
    >> problem as
    >> described in section 3.3 from WD 7. It is expected that by utilizing 
    >> p-code
    >> we can reduce possible ambiguities in the interpretation of the text
    >> descriptions as has worked for other detailed XACML areas. Note: details
    >> for DAG processing which would be enhancement within the proposed 
    >> algorithm
    >> have been sketched after the main algorithm, which could readily be 
    >> added
    >> if TC believes necessary.
    >>
    >>  -- Rich Levinson
    >>
    >> The document named Hierarchical Resource Profile WD 8
    >> (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been 
    >> submitted by
    >> Rich Levinson to the OASIS eXtensible Access Control Markup Language
    >> (XACML) TC document repository.
    >>
    >> Document Description:
    >> XACML Hierarchical Resource Profile
    >> View Document Details:
    >> http://www.oasis-open.org/committees/document.php?document_id=31950
    >>
    >> Download Document:  
    >> http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc 
    >>
    >>
    >>
    >> PLEASE NOTE:  If the above links do not work for you, your email 
    >> application
    >> may be breaking the link into two pieces.  You may be able to copy 
    >> and paste
    >> the entire link address into the address field of your web browser.
    >>
    >> -OASIS Open Administration
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe from this mail list, you must leave the OASIS TC that
    > generates this mail.  Follow this link to all your TCs in OASIS at:
    > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    


  • 4.  Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

    Posted 04-06-2009 05:04
    Hi Rich,
    
    I can do the wd 9 by merging in the things from your document into my wd 
    8 which contains many changes based on the OASIS checklist. And my wd 8 
    is based on the WD 7 posted by Hal and does have the changes made by him.
    
    What I mean is that the pseudo code works only if one has ones hierarchy 
    stored as an array in that particular format. Another problem with the 
    pseudo code is that it assumes that each node only has one parent, which 
    is a limitation compared to what the profile can apply to.
    
    And, in the end, I don't think pseudo code contributes much in this 
    case. I think it is clear enough already that the attribute "ancestors" 
    will contain ancestors, the attribute "parents" will contain parents, 
    and so on.
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
    > Hi Erik,
    >
    > I can issue a WD 9. However, I checked the .zip file and that has a WD 
    > 8 that was created based on WD 6, which means that the changes Hal 
    > made in WD 7 are missing. So, I will hold off until you advise about 
    > what is to happen to the WD 7 changes:
    > http://lists.oasis-open.org/archives/xacml/200904/msg00000.html
    >
    > On the subject of the p-code, I believe the array representation is 
    > fully general in that any set of hierarchies can be represented in the 
    > arrays as shown. i.e. there are N resources total and M hierarchies 
    > defined on the resources. Each column represents one hierarchy.
    >
    > As indicated the case of DAG can be handled by allocating as many 
    > columns as necessary so that the number of columns is equal to the 
    > width corresponding to the max # of parents any node in the DAG has. 
    > There is then room for the parents of any node so one then just lists 
    > all parents of each node in the DAG in slots within the row allocated 
    > to the DAG.
    >
    > This model is not intended to represent a suggested implementation, 
    > however, it is designed to be fully general to accommodate any 
    > collection of resources which is organized with any set of hierarchies 
    > or DAGs applied to it.
    >
    > i.e. it is not intended to be an example, it is a general model with 
    > which any example can be represented.
    >
    >    Thanks,
    >    Rich
    >
    >
    > Erik Rissanen wrote:
    >> Hi Rich and all,
    >>
    >> To avoid any confusion, I would just point out there are now two 
    >> different wd 8 out there. The other is in the zip file which I posted 
    >> yesterday. That one contains editorial cleanups.
    >>
    >> I think the pseudocode should be non-normative and considered an 
    >> example only because this pseudocode applies only to those cases 
    >> where the resource hierarchies are stored in arrays like that.
    >>
    >> Best regards,
    >> Erik
    >>
    >> rich.levinson@oracle.com wrote:
    >>> Proposed revision to Hierarchical Resource Profile, which adds section
    >>> 3.3.1, which contains p-code, which is asserted to represent the 
    >>> problem as
    >>> described in section 3.3 from WD 7. It is expected that by utilizing 
    >>> p-code
    >>> we can reduce possible ambiguities in the interpretation of the text
    >>> descriptions as has worked for other detailed XACML areas. Note: 
    >>> details
    >>> for DAG processing which would be enhancement within the proposed 
    >>> algorithm
    >>> have been sketched after the main algorithm, which could readily be 
    >>> added
    >>> if TC believes necessary.
    >>>
    >>>  -- Rich Levinson
    >>>
    >>> The document named Hierarchical Resource Profile WD 8
    >>> (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been 
    >>> submitted by
    >>> Rich Levinson to the OASIS eXtensible Access Control Markup Language
    >>> (XACML) TC document repository.
    >>>
    >>> Document Description:
    >>> XACML Hierarchical Resource Profile
    >>> View Document Details:
    >>> http://www.oasis-open.org/committees/document.php?document_id=31950
    >>>
    >>> Download Document:  
    >>> http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc 
    >>>
    >>>
    >>>
    >>> PLEASE NOTE:  If the above links do not work for you, your email 
    >>> application
    >>> may be breaking the link into two pieces.  You may be able to copy 
    >>> and paste
    >>> the entire link address into the address field of your web browser.
    >>>
    >>> -OASIS Open Administration
    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe from this mail list, you must leave the OASIS TC that
    >> generates this mail.  Follow this link to all your TCs in OASIS at:
    >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >
    > ---------------------------------------------------------------------
    > To unsubscribe from this mail list, you must leave the OASIS TC that
    > generates this mail.  Follow this link to all your TCs in OASIS at:
    > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    
    


  • 5.  Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

    Posted 04-06-2009 06:20
    Hi Erik,
    
    Ok, I agree your update was to WD 7, I misread something and was mistaken.
    
    I am fine if you want to do the changes to WD 8 and make a WD 9. The 
    only change is the addition of section 3.3.1 (also, please change the 
    line in p-code that says: collectAncestorNodes() to 
    collectAncestorNodes(int iRes) - I forgot the parameter). If you prefer, 
    I can do the update myself based on your WD 8.
    
    I pointed out in the notes following the p-code that the multi-parent 
    (DAG) case can be handled with an enhancement.
    
    I am considering doing an update w that enhancement, for full 
    generality, however, what is currently there, in principle, 
    theoretically could work with a DAG expanded to single parent 
    hierarchies, but I do not want to incorporate that capability in that 
    manner as it is overly verbose and could lead to unnecessary confusion.
    
    The alternative is a slightly more sophisticated recursive algorithm to 
    handle the DAG as a minimum width set of columns, where the min is equal 
    to number of parents in the node(s) of the DAG that has the maximum 
    number of parents compared to any other nodes in the DAG.
    
    The fact that it is modeled as an array, imo, does not make it less 
    general since any concrete hierarchy or DAG can be mapped to this array 
    model. I chose this approach, because I consider it easy to understand: 
    each row represents a resource, and the row contains entries for the 
    hierarchies in which the resource can be a member. If the value in an 
    element of the row is zero, the resource is not a member of that 
    hierarchy. Basically, the row can be considered to contain the list of 
    memberships in the organization's hierarchies that this particular 
    resource participates in, where a membership is indicated by a non-zero 
    value identifying the row number of the resource's parent in that 
    hierarchy. For DAGs, row zero, will contain DAG-ids and all columns with 
    the same DAG-id are are in the same DAG. If DAG-id is zero, then the 
    column is a single parent hierarchy.
    
        Thanks,
        Rich
    
    
    Erik Rissanen wrote:
    > Hi Rich,
    >
    > I can do the wd 9 by merging in the things from your document into my 
    > wd 8 which contains many changes based on the OASIS checklist. And my 
    > wd 8 is based on the WD 7 posted by Hal and does have the changes made 
    > by him.
    >
    > What I mean is that the pseudo code works only if one has ones 
    > hierarchy stored as an array in that particular format. Another 
    > problem with the pseudo code is that it assumes that each node only 
    > has one parent, which is a limitation compared to what the profile can 
    > apply to.
    >
    > And, in the end, I don't think pseudo code contributes much in this 
    > case. I think it is clear enough already that the attribute 
    > "ancestors" will contain ancestors, the attribute "parents" will 
    > contain parents, and so on.
    >
    > Best regards,
    > Erik
    >
    > Rich.Levinson wrote:
    >> Hi Erik,
    >>
    >> I can issue a WD 9. However, I checked the .zip file and that has a 
    >> WD 8 that was created based on WD 6, which means that the changes Hal 
    >> made in WD 7 are missing. So, I will hold off until you advise about 
    >> what is to happen to the WD 7 changes:
    >> http://lists.oasis-open.org/archives/xacml/200904/msg00000.html
    >>
    >> On the subject of the p-code, I believe the array representation is 
    >> fully general in that any set of hierarchies can be represented in 
    >> the arrays as shown. i.e. there are N resources total and M 
    >> hierarchies defined on the resources. Each column represents one 
    >> hierarchy.
    >>
    >> As indicated the case of DAG can be handled by allocating as many 
    >> columns as necessary so that the number of columns is equal to the 
    >> width corresponding to the max # of parents any node in the DAG has. 
    >> There is then room for the parents of any node so one then just lists 
    >> all parents of each node in the DAG in slots within the row allocated 
    >> to the DAG.
    >>
    >> This model is not intended to represent a suggested implementation, 
    >> however, it is designed to be fully general to accommodate any 
    >> collection of resources which is organized with any set of 
    >> hierarchies or DAGs applied to it.
    >>
    >> i.e. it is not intended to be an example, it is a general model with 
    >> which any example can be represented.
    >>
    >>    Thanks,
    >>    Rich
    >>
    >>
    >> Erik Rissanen wrote:
    >>> Hi Rich and all,
    >>>
    >>> To avoid any confusion, I would just point out there are now two 
    >>> different wd 8 out there. The other is in the zip file which I 
    >>> posted yesterday. That one contains editorial cleanups.
    >>>
    >>> I think the pseudocode should be non-normative and considered an 
    >>> example only because this pseudocode applies only to those cases 
    >>> where the resource hierarchies are stored in arrays like that.
    >>>
    >>> Best regards,
    >>> Erik
    >>>
    >>> rich.levinson@oracle.com wrote:
    >>>> Proposed revision to Hierarchical Resource Profile, which adds section
    >>>> 3.3.1, which contains p-code, which is asserted to represent the 
    >>>> problem as
    >>>> described in section 3.3 from WD 7. It is expected that by 
    >>>> utilizing p-code
    >>>> we can reduce possible ambiguities in the interpretation of the text
    >>>> descriptions as has worked for other detailed XACML areas. Note: 
    >>>> details
    >>>> for DAG processing which would be enhancement within the proposed 
    >>>> algorithm
    >>>> have been sketched after the main algorithm, which could readily be 
    >>>> added
    >>>> if TC believes necessary.
    >>>>
    >>>>  -- Rich Levinson
    >>>>
    >>>> The document named Hierarchical Resource Profile WD 8
    >>>> (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been 
    >>>> submitted by
    >>>> Rich Levinson to the OASIS eXtensible Access Control Markup Language
    >>>> (XACML) TC document repository.
    >>>>
    >>>> Document Description:
    >>>> XACML Hierarchical Resource Profile
    >>>> View Document Details:
    >>>> http://www.oasis-open.org/committees/document.php?document_id=31950
    >>>>
    >>>> Download Document:  
    >>>> http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc 
    >>>>
    >>>>
    >>>>
    >>>> PLEASE NOTE:  If the above links do not work for you, your email 
    >>>> application
    >>>> may be breaking the link into two pieces.  You may be able to copy 
    >>>> and paste
    >>>> the entire link address into the address field of your web browser.
    >>>>
    >>>> -OASIS Open Administration
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe from this mail list, you must leave the OASIS TC that
    >>> generates this mail.  Follow this link to all your TCs in OASIS at:
    >>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe from this mail list, you must leave the OASIS TC that
    >> generates this mail.  Follow this link to all your TCs in OASIS at:
    >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe from this mail list, you must leave the OASIS TC that
    > generates this mail.  Follow this link to all your TCs in OASIS at:
    > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    


  • 6.  Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

    Posted 04-06-2009 07:00
    Ok, thanks Rich.
    
    I can edit it in, but I still would like to keep it non-normative. If we 
    make it normative, we have two normative specifications for the same 
    thing: 1) The current textual description, 2) the pseudo code. I prefer 
    that the textual description is the normative one.
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
    > Hi Erik,
    >
    > Ok, I agree your update was to WD 7, I misread something and was 
    > mistaken.
    >
    > I am fine if you want to do the changes to WD 8 and make a WD 9. The 
    > only change is the addition of section 3.3.1 (also, please change the 
    > line in p-code that says: collectAncestorNodes() to 
    > collectAncestorNodes(int iRes) - I forgot the parameter). If you 
    > prefer, I can do the update myself based on your WD 8.
    >
    > I pointed out in the notes following the p-code that the multi-parent 
    > (DAG) case can be handled with an enhancement.
    >
    > I am considering doing an update w that enhancement, for full 
    > generality, however, what is currently there, in principle, 
    > theoretically could work with a DAG expanded to single parent 
    > hierarchies, but I do not want to incorporate that capability in that 
    > manner as it is overly verbose and could lead to unnecessary confusion.
    >
    > The alternative is a slightly more sophisticated recursive algorithm 
    > to handle the DAG as a minimum width set of columns, where the min is 
    > equal to number of parents in the node(s) of the DAG that has the 
    > maximum number of parents compared to any other nodes in the DAG.
    >
    > The fact that it is modeled as an array, imo, does not make it less 
    > general since any concrete hierarchy or DAG can be mapped to this 
    > array model. I chose this approach, because I consider it easy to 
    > understand: each row represents a resource, and the row contains 
    > entries for the hierarchies in which the resource can be a member. If 
    > the value in an element of the row is zero, the resource is not a 
    > member of that hierarchy. Basically, the row can be considered to 
    > contain the list of memberships in the organization's hierarchies that 
    > this particular resource participates in, where a membership is 
    > indicated by a non-zero value identifying the row number of the 
    > resource's parent in that hierarchy. For DAGs, row zero, will contain 
    > DAG-ids and all columns with the same DAG-id are are in the same DAG. 
    > If DAG-id is zero, then the column is a single parent hierarchy.
    >
    >    Thanks,
    >    Rich
    >
    >
    > Erik Rissanen wrote:
    >> Hi Rich,
    >>
    >> I can do the wd 9 by merging in the things from your document into my 
    >> wd 8 which contains many changes based on the OASIS checklist. And my 
    >> wd 8 is based on the WD 7 posted by Hal and does have the changes 
    >> made by him.
    >>
    >> What I mean is that the pseudo code works only if one has ones 
    >> hierarchy stored as an array in that particular format. Another 
    >> problem with the pseudo code is that it assumes that each node only 
    >> has one parent, which is a limitation compared to what the profile 
    >> can apply to.
    >>
    >> And, in the end, I don't think pseudo code contributes much in this 
    >> case. I think it is clear enough already that the attribute 
    >> "ancestors" will contain ancestors, the attribute "parents" will 
    >> contain parents, and so on.
    >>
    >> Best regards,
    >> Erik
    >>
    >> Rich.Levinson wrote:
    >>> Hi Erik,
    >>>
    >>> I can issue a WD 9. However, I checked the .zip file and that has a 
    >>> WD 8 that was created based on WD 6, which means that the changes 
    >>> Hal made in WD 7 are missing. So, I will hold off until you advise 
    >>> about what is to happen to the WD 7 changes:
    >>> http://lists.oasis-open.org/archives/xacml/200904/msg00000.html
    >>>
    >>> On the subject of the p-code, I believe the array representation is 
    >>> fully general in that any set of hierarchies can be represented in 
    >>> the arrays as shown. i.e. there are N resources total and M 
    >>> hierarchies defined on the resources. Each column represents one 
    >>> hierarchy.
    >>>
    >>> As indicated the case of DAG can be handled by allocating as many 
    >>> columns as necessary so that the number of columns is equal to the 
    >>> width corresponding to the max # of parents any node in the DAG has. 
    >>> There is then room for the parents of any node so one then just 
    >>> lists all parents of each node in the DAG in slots within the row 
    >>> allocated to the DAG.
    >>>
    >>> This model is not intended to represent a suggested implementation, 
    >>> however, it is designed to be fully general to accommodate any 
    >>> collection of resources which is organized with any set of 
    >>> hierarchies or DAGs applied to it.
    >>>
    >>> i.e. it is not intended to be an example, it is a general model with 
    >>> which any example can be represented.
    >>>
    >>>    Thanks,
    >>>    Rich
    >>>
    >>>
    >>> Erik Rissanen wrote:
    >>>> Hi Rich and all,
    >>>>
    >>>> To avoid any confusion, I would just point out there are now two 
    >>>> different wd 8 out there. The other is in the zip file which I 
    >>>> posted yesterday. That one contains editorial cleanups.
    >>>>
    >>>> I think the pseudocode should be non-normative and considered an 
    >>>> example only because this pseudocode applies only to those cases 
    >>>> where the resource hierarchies are stored in arrays like that.
    >>>>
    >>>> Best regards,
    >>>> Erik
    >>>>
    >>>> rich.levinson@oracle.com wrote:
    >>>>> Proposed revision to Hierarchical Resource Profile, which adds 
    >>>>> section
    >>>>> 3.3.1, which contains p-code, which is asserted to represent the 
    >>>>> problem as
    >>>>> described in section 3.3 from WD 7. It is expected that by 
    >>>>> utilizing p-code
    >>>>> we can reduce possible ambiguities in the interpretation of the text
    >>>>> descriptions as has worked for other detailed XACML areas. Note: 
    >>>>> details
    >>>>> for DAG processing which would be enhancement within the proposed 
    >>>>> algorithm
    >>>>> have been sketched after the main algorithm, which could readily 
    >>>>> be added
    >>>>> if TC believes necessary.
    >>>>>
    >>>>>  -- Rich Levinson
    >>>>>
    >>>>> The document named Hierarchical Resource Profile WD 8
    >>>>> (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been 
    >>>>> submitted by
    >>>>> Rich Levinson to the OASIS eXtensible Access Control Markup Language
    >>>>> (XACML) TC document repository.
    >>>>>
    >>>>> Document Description:
    >>>>> XACML Hierarchical Resource Profile
    >>>>> View Document Details:
    >>>>> http://www.oasis-open.org/committees/document.php?document_id=31950
    >>>>>
    >>>>> Download Document:  
    >>>>> http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc 
    >>>>>
    >>>>>
    >>>>>
    >>>>> PLEASE NOTE:  If the above links do not work for you, your email 
    >>>>> application
    >>>>> may be breaking the link into two pieces.  You may be able to copy 
    >>>>> and paste
    >>>>> the entire link address into the address field of your web browser.
    >>>>>
    >>>>> -OASIS Open Administration
    >>>>
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe from this mail list, you must leave the OASIS TC that
    >>>> generates this mail.  Follow this link to all your TCs in OASIS at:
    >>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe from this mail list, you must leave the OASIS TC that
    >>> generates this mail.  Follow this link to all your TCs in OASIS at:
    >>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe from this mail list, you must leave the OASIS TC that
    >> generates this mail.  Follow this link to all your TCs in OASIS at:
    >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >
    > ---------------------------------------------------------------------
    > To unsubscribe from this mail list, you must leave the OASIS TC that
    > generates this mail.  Follow this link to all your TCs in OASIS at:
    > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    
    


  • 7.  Re: [xacml] Groups - Hierarchical Resource Profile WD 8 (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc)uploaded

    Posted 04-07-2009 03:05
    Hi Erik,
    
    I have just submitted version "8b", which I recommend that you edit in 
    instead of the version "8a" posted yesterday. This version includes the 
    DAGs using a recursive ancestor collector, which operates on both 
    hierarchies and DAGs.
    
    I agree that we can include it as "non-normative" because I realize that 
    people will need time to review it, and it will probably take some time 
    before there is general agreement (if we, in fact, ever do reach that 
    point) that the algorithm as specified, or some variant thereof, 
    accurately represents the general problem being addressed by the 
    profile. Regardless, I think the algorithm is instructive, and adds 
    useful cognitive information to the spec, and, personally, I find it 
    conceptually essential in order to fully understand what the specifics 
    of the profile actually mean.
    
        Thanks,
        Rich
    
    
    Erik Rissanen wrote:
    > Ok, thanks Rich.
    >
    > I can edit it in, but I still would like to keep it non-normative. If 
    > we make it normative, we have two normative specifications for the 
    > same thing: 1) The current textual description, 2) the pseudo code. I 
    > prefer that the textual description is the normative one.
    >
    > Best regards,
    > Erik
    >
    > Rich.Levinson wrote:
    >> Hi Erik,
    >>
    >> Ok, I agree your update was to WD 7, I misread something and was 
    >> mistaken.
    >>
    >> I am fine if you want to do the changes to WD 8 and make a WD 9. The 
    >> only change is the addition of section 3.3.1 (also, please change the 
    >> line in p-code that says: collectAncestorNodes() to 
    >> collectAncestorNodes(int iRes) - I forgot the parameter). If you 
    >> prefer, I can do the update myself based on your WD 8.
    >>
    >> I pointed out in the notes following the p-code that the multi-parent 
    >> (DAG) case can be handled with an enhancement.
    >>
    >> I am considering doing an update w that enhancement, for full 
    >> generality, however, what is currently there, in principle, 
    >> theoretically could work with a DAG expanded to single parent 
    >> hierarchies, but I do not want to incorporate that capability in that 
    >> manner as it is overly verbose and could lead to unnecessary confusion.
    >>
    >> The alternative is a slightly more sophisticated recursive algorithm 
    >> to handle the DAG as a minimum width set of columns, where the min is 
    >> equal to number of parents in the node(s) of the DAG that has the 
    >> maximum number of parents compared to any other nodes in the DAG.
    >>
    >> The fact that it is modeled as an array, imo, does not make it less 
    >> general since any concrete hierarchy or DAG can be mapped to this 
    >> array model. I chose this approach, because I consider it easy to 
    >> understand: each row represents a resource, and the row contains 
    >> entries for the hierarchies in which the resource can be a member. If 
    >> the value in an element of the row is zero, the resource is not a 
    >> member of that hierarchy. Basically, the row can be considered to 
    >> contain the list of memberships in the organization's hierarchies 
    >> that this particular resource participates in, where a membership is 
    >> indicated by a non-zero value identifying the row number of the 
    >> resource's parent in that hierarchy. For DAGs, row zero, will contain 
    >> DAG-ids and all columns with the same DAG-id are are in the same DAG. 
    >> If DAG-id is zero, then the column is a single parent hierarchy.
    >>
    >>    Thanks,
    >>    Rich
    >>
    >>
    >> Erik Rissanen wrote:
    >>> Hi Rich,
    >>>
    >>> I can do the wd 9 by merging in the things from your document into 
    >>> my wd 8 which contains many changes based on the OASIS checklist. 
    >>> And my wd 8 is based on the WD 7 posted by Hal and does have the 
    >>> changes made by him.
    >>>
    >>> What I mean is that the pseudo code works only if one has ones 
    >>> hierarchy stored as an array in that particular format. Another 
    >>> problem with the pseudo code is that it assumes that each node only 
    >>> has one parent, which is a limitation compared to what the profile 
    >>> can apply to.
    >>>
    >>> And, in the end, I don't think pseudo code contributes much in this 
    >>> case. I think it is clear enough already that the attribute 
    >>> "ancestors" will contain ancestors, the attribute "parents" will 
    >>> contain parents, and so on.
    >>>
    >>> Best regards,
    >>> Erik
    >>>
    >>> Rich.Levinson wrote:
    >>>> Hi Erik,
    >>>>
    >>>> I can issue a WD 9. However, I checked the .zip file and that has a 
    >>>> WD 8 that was created based on WD 6, which means that the changes 
    >>>> Hal made in WD 7 are missing. So, I will hold off until you advise 
    >>>> about what is to happen to the WD 7 changes:
    >>>> http://lists.oasis-open.org/archives/xacml/200904/msg00000.html
    >>>>
    >>>> On the subject of the p-code, I believe the array representation is 
    >>>> fully general in that any set of hierarchies can be represented in 
    >>>> the arrays as shown. i.e. there are N resources total and M 
    >>>> hierarchies defined on the resources. Each column represents one 
    >>>> hierarchy.
    >>>>
    >>>> As indicated the case of DAG can be handled by allocating as many 
    >>>> columns as necessary so that the number of columns is equal to the 
    >>>> width corresponding to the max # of parents any node in the DAG 
    >>>> has. There is then room for the parents of any node so one then 
    >>>> just lists all parents of each node in the DAG in slots within the 
    >>>> row allocated to the DAG.
    >>>>
    >>>> This model is not intended to represent a suggested implementation, 
    >>>> however, it is designed to be fully general to accommodate any 
    >>>> collection of resources which is organized with any set of 
    >>>> hierarchies or DAGs applied to it.
    >>>>
    >>>> i.e. it is not intended to be an example, it is a general model 
    >>>> with which any example can be represented.
    >>>>
    >>>>    Thanks,
    >>>>    Rich
    >>>>
    >>>>
    >>>> Erik Rissanen wrote:
    >>>>> Hi Rich and all,
    >>>>>
    >>>>> To avoid any confusion, I would just point out there are now two 
    >>>>> different wd 8 out there. The other is in the zip file which I 
    >>>>> posted yesterday. That one contains editorial cleanups.
    >>>>>
    >>>>> I think the pseudocode should be non-normative and considered an 
    >>>>> example only because this pseudocode applies only to those cases 
    >>>>> where the resource hierarchies are stored in arrays like that.
    >>>>>
    >>>>> Best regards,
    >>>>> Erik
    >>>>>
    >>>>> rich.levinson@oracle.com wrote:
    >>>>>> Proposed revision to Hierarchical Resource Profile, which adds 
    >>>>>> section
    >>>>>> 3.3.1, which contains p-code, which is asserted to represent the 
    >>>>>> problem as
    >>>>>> described in section 3.3 from WD 7. It is expected that by 
    >>>>>> utilizing p-code
    >>>>>> we can reduce possible ambiguities in the interpretation of the text
    >>>>>> descriptions as has worked for other detailed XACML areas. Note: 
    >>>>>> details
    >>>>>> for DAG processing which would be enhancement within the proposed 
    >>>>>> algorithm
    >>>>>> have been sketched after the main algorithm, which could readily 
    >>>>>> be added
    >>>>>> if TC believes necessary.
    >>>>>>
    >>>>>>  -- Rich Levinson
    >>>>>>
    >>>>>> The document named Hierarchical Resource Profile WD 8
    >>>>>> (xacml-3[1].0-hierarchical-v1-spec-wd-08-en-01.doc) has been 
    >>>>>> submitted by
    >>>>>> Rich Levinson to the OASIS eXtensible Access Control Markup Language
    >>>>>> (XACML) TC document repository.
    >>>>>>
    >>>>>> Document Description:
    >>>>>> XACML Hierarchical Resource Profile
    >>>>>> View Document Details:
    >>>>>> http://www.oasis-open.org/committees/document.php?document_id=31950
    >>>>>>
    >>>>>> Download Document:  
    >>>>>> http://www.oasis-open.org/committees/download.php/31950/xacml-3%5B1%5D.0-hierarchical-v1-spec-wd-08-en-01.doc 
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> PLEASE NOTE:  If the above links do not work for you, your email 
    >>>>>> application
    >>>>>> may be breaking the link into two pieces.  You may be able to 
    >>>>>> copy and paste
    >>>>>> the entire link address into the address field of your web browser.
    >>>>>>
    >>>>>> -OASIS Open Administration
    >>>>>
    >>>>>
    >>>>> ---------------------------------------------------------------------
    >>>>> To unsubscribe from this mail list, you must leave the OASIS TC that
    >>>>> generates this mail.  Follow this link to all your TCs in OASIS at:
    >>>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
    >>>>>
    >>>>
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe from this mail list, you must leave the OASIS TC that
    >>>> generates this mail.  Follow this link to all your TCs in OASIS at:
    >>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >>>
    >>>
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe from this mail list, you must leave the OASIS TC that
    >>> generates this mail.  Follow this link to all your TCs in OASIS at:
    >>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe from this mail list, you must leave the OASIS TC that
    >> generates this mail.  Follow this link to all your TCs in OASIS at:
    >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    >