OASIS eXtensible Access Control Markup Language (XACML) TC

Submitter's message Updates the hierarchical profile to the current OASIS document template. There are no changes in the content, except to fit the new template and:

- I added a subsection 1.1 to make it clear that the non-normative statement only applies to it, not the rest of section 1.
- Changed incorrect reference to RFC2396 to the correct RFC3986
- I had forgot to specify Rich as a co-editor when I requested the template, so I added him (I hope this does not break any TC admin metadata tracking)
- I did a search for glossary terms and ended up marking some which were not highlighted in the previous version.
- I fixed a few minor typos which I found. -- Erik Rissanen Document Name : xacml-3.0-hierarchical-v1.0-wd14.doc No description provided. Download Latest Revision Public Download Link Submitter : Erik Rissanen Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2014-01-21 08:47:38

Thanks Erik.   I am wondering if the work on Nested and Related Entities can influence this profile. It seems to me that “hierarchies” can be considered special cases of “related entities”. This might be something we can think about and discuss at the next TC call.     Regards, Mohammad Jafari, Ph.D. Security Architect, Edmond Scientific Company       From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Erik Rissanen Sent: Tuesday, January 21, 2014 9:48 AM To: xacml@lists.oasis-open.org Subject: [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc uploaded   Submitter's message Updates the hierarchical profile to the current OASIS document template. There are no changes in the content, except to fit the new template and: - I added a subsection 1.1 to make it clear that the non-normative statement only applies to it, not the rest of section 1. - Changed incorrect reference to RFC2396 to the correct RFC3986 - I had forgot to specify Rich as a co-editor when I requested the template, so I added him (I hope this does not break any TC admin metadata tracking) - I did a search for glossary terms and ended up marking some which were not highlighted in the previous version. - I fixed a few minor typos which I found. -- Erik Rissanen Document Name : xacml-3.0-hierarchical-v1.0-wd14.doc No description provided. Download Latest Revision Public Download Link Submitter : Erik Rissanen Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2014-01-21 08:47:38  

Hi, Maybe, what did you have in mind? However, it might make sense to keep this profile as it is since these schemes stand on their own in any case, and some of them are foundations for the multiple decision profile, so we would be impacting that profile as well. The multiple decision profile is one of those which I think is important to close off since it means implementation effort in terms of code in the PDP, so it's not nice for vendors to have it in flux. If there are possibilities from the entities profile, it might make sense to put those options in that profile since the entities profile will be an implementation effort regardless. Best regards, Erik On 2014-01-22 05:00, Mohammad Jafari wrote: Thanks Erik.   I am wondering if the work on Nested and Related Entities can influence this profile. It seems to me that “hierarchies” can be considered special cases of “related entities”. This might be something we can think about and discuss at the next TC call.     Regards, Mohammad Jafari, Ph.D. Security Architect, Edmond Scientific Company       From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Erik Rissanen Sent: Tuesday, January 21, 2014 9:48 AM To: xacml@lists.oasis-open.org Subject: [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc uploaded   Submitter's message Updates the hierarchical profile to the current OASIS document template. There are no changes in the content, except to fit the new template and: - I added a subsection 1.1 to make it clear that the non-normative statement only applies to it, not the rest of section 1. - Changed incorrect reference to RFC2396 to the correct RFC3986 - I had forgot to specify Rich as a co-editor when I requested the template, so I added him (I hope this does not break any TC admin metadata tracking) - I did a search for glossary terms and ended up marking some which were not highlighted in the previous version. - I fixed a few minor typos which I found. -- Erik Rissanen Document Name : xacml-3.0-hierarchical-v1.0-wd14.doc No description provided. Download Latest Revision Public Download Link Submitter : Erik Rissanen Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2014-01-21 08:47:38  

Hi Mohammad, Erik, I would like to know what Mohammad has in mind as well, because I suspect the hierarchical profile may be applicable in some relevant sense, although I also agree that in this context we should refer to it rather than try to change it.     Thanks,     Rich On 1/22/2014 5:28 AM, Erik Rissanen wrote: Hi, Maybe, what did you have in mind? However, it might make sense to keep this profile as it is since these schemes stand on their own in any case, and some of them are foundations for the multiple decision profile, so we would be impacting that profile as well. The multiple decision profile is one of those which I think is important to close off since it means implementation effort in terms of code in the PDP, so it's not nice for vendors to have it in flux. If there are possibilities from the entities profile, it might make sense to put those options in that profile since the entities profile will be an implementation effort regardless. Best regards, Erik On 2014-01-22 05:00, Mohammad Jafari wrote: Thanks Erik.   I am wondering if the work on Nested and Related Entities can influence this profile. It seems to me that “hierarchies” can be considered special cases of “related entities”. This might be something we can think about and discuss at the next TC call.     Regards, Mohammad Jafari, Ph.D. Security Architect, Edmond Scientific Company       From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Erik Rissanen Sent: Tuesday, January 21, 2014 9:48 AM To: xacml@lists.oasis-open.org Subject: [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc uploaded   Submitter's message Updates the hierarchical profile to the current OASIS document template. There are no changes in the content, except to fit the new template and: - I added a subsection 1.1 to make it clear that the non-normative statement only applies to it, not the rest of section 1. - Changed incorrect reference to RFC2396 to the correct RFC3986 - I had forgot to specify Rich as a co-editor when I requested the template, so I added him (I hope this does not break any TC admin metadata tracking) - I did a search for glossary terms and ended up marking some which were not highlighted in the previous version. - I fixed a few minor typos which I found. -- Erik Rissanen Document Name : xacml-3.0-hierarchical-v1.0-wd14.doc No description provided. Download Latest Revision Public Download Link Submitter : Erik Rissanen Group : OASIS eXtensible Access Control Markup Language (XACML) TC Folder : Specifications and Working Drafts Date submitted : 2014-01-21 08:47:38   -- Thanks, Rich Rich Levinson Internet Standards Security Architect Mobile: +1 978 5055017 Oracle Identity Management 45 Network Drive Burlington, Massachusetts 01803 Oracle is committed to developing practices and products that help protect the environment

Hi Mohammad, On 22/01/2014 3:00 PM, Mohammad Jafari wrote: Thanks Erik. I am wondering if the work on Nested and Related Entities can influence this profile. Probably not. Insofar as they overlap, I think the entities profile and the hierarchical profile should be considered to be alternative approaches to the same problem space, with some notable differences. > It seems to me that “hierarchies” can be considered special cases of “related entities”. Related entities can form an arbitrary graph, of which the hierarchies defined by the hierarchical profile are a special case. Trees can also be represented by nested entities. Here are the differences as I see them. From the perspective of the entities profile, the resource-parent, resource-ancestor and resource-ancestor-or-self attributes are flattened attributes. They flatten the resource-id attributes of the ancestor nodes into the resource category. This is the only information from the ancestor nodes of non-XML hierarchies that can be tested by an XACML policy using the hierarchical profile. Additional flattened attributes could be defined, but that would introduce the correlation issues inherent to the use of flattened attributes. The entities profile allows any attributes of related nodes to be tested by explicit reference to the links between nodes. Those explicit references are a limitation compared to the hierarchies profile in that the resource-ancestor and resource-ancestor-or-self attributes are defined by the transitive closure of the child-parent relationship, but the entities profile doesn't address transitive closure. A hierarchy represented as an XML document could also be represented by nested entities. The content-selector attribute has been defined by the hierarchical profile to select the node in the hierarchy that is the resource. I haven't defined anything like that in the entities profile. The content-selector attribute uses XPath expressions. The analogue for nested entities would be an XACML expression, which would be a new data-type. I don't think that is worth doing since the situation can be handled with related entities instead of nested entities; the resource category <Attributes> element would contain the resource node and the higher and lower nodes in the hierarchy would be in other <Attributes> elements (i.e., other entities) linked by URI values. In all, I don't see a need to change the hierarchical profile because of the entities profile. There is perhaps something that the multiple decision profile could say about a request for multiple decisions involving multiple entities, but that could be defined in the entities profile instead, if at all. Regards, Steven This might be something we can think about and discuss at the next TC call. Regards, Mohammad Jafari, Ph.D. Security Architect, Edmond Scientific Company *From:*xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] *On Behalf Of *Erik Rissanen *Sent:* Tuesday, January 21, 2014 9:48 AM *To:* xacml@lists.oasis-open.org *Subject:* [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc uploaded /Submitter's message/ Updates the hierarchical profile to the current OASIS document template. There are no changes in the content, except to fit the new template and: - I added a subsection 1.1 to make it clear that the non-normative statement only applies to it, not the rest of section 1. - Changed incorrect reference to RFC2396 to the correct RFC3986 - I had forgot to specify Rich as a co-editor when I requested the template, so I added him (I hope this does not break any TC admin metadata tracking) - I did a search for glossary terms and ended up marking some which were not highlighted in the previous version. - I fixed a few minor typos which I found. -- Erik Rissanen *Document Name*: xacml-3.0-hierarchical-v1.0-wd14.doc < https://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=52014 > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -- No description provided. Download Latest Revision < https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/52014/latest/xacml-3.0-hierarchical-v1.0-wd14.doc > Public Download Link < https://www.oasis-open.org/committees/document.php?document_id=52014&wg_abbrev=xacml > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -- *Submitter*: Erik Rissanen *Group*: OASIS eXtensible Access Control Markup Language (XACML) TC *Folder*: Specifications and Working Drafts *Date submitted*: 2014-01-21 08:47:38

+1 Hal >
Original Message----- > From: Steven Legg [ mailto:steven.legg@viewds.com ] > Sent: Thursday, January 30, 2014 12:05 AM > To: Mohammad Jafari > Cc: Erik Rissanen; xacml@lists.oasis-open.org > Subject: Re: [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc > uploaded > > > Hi Mohammad, > > On 22/01/2014 3:00 PM, Mohammad Jafari wrote: > > Thanks Erik. > > > > I am wondering if the work on Nested and Related Entities can > influence this profile. > > Probably not. Insofar as they overlap, I think the entities profile and > the hierarchical profile should be considered to be alternative > approaches to the same problem space, with some notable differences. > > > It seems to me that "hierarchies" can be considered special cases of > "related entities". > > Related entities can form an arbitrary graph, of which the hierarchies > defined by the hierarchical profile are a special case. Trees can also > be represented by nested entities. > > Here are the differences as I see them. > > From the perspective of the entities profile, the resource-parent, > resource-ancestor and resource-ancestor-or-self attributes are > flattened attributes. They flatten the resource-id attributes of the > ancestor nodes into the resource category. This is the only information > from the ancestor nodes of non-XML hierarchies that can be tested by an > XACML policy using the hierarchical profile. Additional flattened > attributes could be defined, but that would introduce the correlation > issues inherent to the use of flattened attributes. The entities > profile allows any attributes of related nodes to be tested by explicit > reference to the links between nodes. > > Those explicit references are a limitation compared to the hierarchies > profile in that the resource-ancestor and resource-ancestor-or-self > attributes are defined by the transitive closure of the child-parent > relationship, but the entities profile doesn't address transitive > closure. > > A hierarchy represented as an XML document could also be represented by > nested entities. The content-selector attribute has been defined by the > hierarchical profile to select the node in the hierarchy that is the > resource. > I haven't defined anything like that in the entities profile. The > content-selector attribute uses XPath expressions. The analogue for > nested entities would be an XACML expression, which would be a new > data-type. I don't think that is worth doing since the situation can be > handled with related entities instead of nested entities; the resource > category <Attributes> element would contain the resource node and the > higher and lower nodes in the hierarchy would be in other <Attributes> > elements (i.e., other entities) linked by URI values. > > In all, I don't see a need to change the hierarchical profile because > of the entities profile. There is perhaps something that the multiple > decision profile could say about a request for multiple decisions > involving multiple entities, but that could be defined in the entities > profile instead, if at all. > > Regards, > Steven > > > > > This might be something we can think about and discuss at the next TC > call. > > > > Regards, > > > > Mohammad Jafari, Ph.D. > > > > Security Architect, Edmond Scientific Company > > > > *From:*xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] > > *On Behalf Of *Erik Rissanen > > *Sent:* Tuesday, January 21, 2014 9:48 AM > > *To:* xacml@lists.oasis-open.org > > *Subject:* [xacml] Groups - xacml-3.0-hierarchical-v1.0-wd14.doc > > uploaded > > > > /Submitter's message/ > > Updates the hierarchical profile to the current OASIS document > template. There are no changes in the content, except to fit the new > template and: > > > > - I added a subsection 1.1 to make it clear that the non-normative > statement only applies to it, not the rest of section 1. > > - Changed incorrect reference to RFC2396 to the correct RFC3986 > > - I had forgot to specify Rich as a co-editor when I requested the > > template, so I added him (I hope this does not break any TC admin > > metadata tracking) > > - I did a search for glossary terms and ended up marking some which > were not highlighted in the previous version. > > - I fixed a few minor typos which I found. > > > > -- Erik Rissanen > > > > *Document Name*: xacml-3.0-hierarchical-v1.0-wd14.doc > > < https://www.oasis- > open.org/apps/org/workgroup/xacml/document.php?docu > > ment_id=52014> > > > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > -------- > -- > > > > No description provided. > > Download Latest Revision > > < https://www.oasis- > open.org/apps/org/workgroup/xacml/download.php/5201 > > 4/latest/xacml-3.0-hierarchical-v1.0-wd14.doc> > > Public Download Link > > < https://www.oasis- > open.org/committees/document.php?document_id=52014& > > wg_abbrev=xacml> > > > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > --------------------------------------------------------------------- > - > > -------- > -- > > > > *Submitter*: Erik Rissanen > > *Group*: OASIS eXtensible Access Control Markup Language (XACML) TC > > *Folder*: Specifications and Working Drafts *Date submitted*: > > 2014-01-21 08:47:38 > > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >