MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [xacml] XACML Profile for Hierarchical Resources, WD 8
Couple comments
1.
For the non XML hierarchy, we either need to add to the definition of
the resource-ancestor, that it does include the resource-id of the
resource itself. It is important for the use case of policies
applicable to a resource itself and all its children: so you do not need
to write two rules.
OR (probably preferably, as it fits along with XQuery/XPath axes
definitions): add definition for
urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self
"For each ancestor of the node specified in the "resource-id" attribute
or attributes, and for each normative representation of that ancestor
node, an <Attribute> element with AttributeId
"urn:oasis::names:tc:xacml:2.0:resource:resource-ancestor-or-self".
The <AttributeValue> of this <Attribute> SHALL be the result of applying
urn:oasis:names:tc:xacml:1.0:function:type-union function to the
contents of
"resource-id" and "resource-ancestor" attributes, where the "type" is
selected according to the used datatype of those attributes."
2.
We need to mention in the definition of "resource-ancestor", that it can
not be guaranteed to be computed by recursively combining
"resource-parent" values. Parent of a parent is not necessarily defined
as an ancestor in our case (this is to avoid circular reference and
other problems). That may seem odd, but we should not impose
unnecessary requirements on the structure.
Daniel;