OASIS eXtensible Access Control Markup Language (XACML) TC

> There are many way to create hierarchical structures.   If we are to 
> publish anything, I think it should be the most generic one that does 
> not introduce any additional concepts to the XACML (like naming schemes 
> and such).

I agree with Daniel on this point. One of the strengths of the XACML 
core (in my opinion) is that it deals with a policy processing model, 
not the specifics of how XACML systems interact with the world around them.

The idea of generic hierarchies is that a PEP should be able to name a 
root, and that should result in a PDP processing multiple requests. How 
that mapping happens is up to some entity outside the scope of XACML. It 
seems to me like what we're really talking about in this thread is a 
profile for specific mechanisms or more detailed examples of actual 
implementation possibilities. I think this kind of clarity is great to 
have, but should be in a separate place from the abstract discussion of 
hierarchies (which I think is also Daniel's point). I also think Erik's 
suggestion makes sense: we should continue to look at these details, but 
move the core docs forward separately.


seth

I think the current profile suffers a lot from our decision to use it  
for both XML/XPath based and attribute based approaches.    They are  
distinct enough to be done separately, but we did not have enough  
cycles to do that.

Maybe it is a good time to split and formalize the attribute -based  
approach a bit more - in particular remove any requirements for  
identifiers and any references to URI's.



Daniel;


On Feb 18, 2009, at 10:29 AM, Seth Proctor wrote:

>
>> There are many way to create hierarchical structures.   If we are  
>> to publish anything, I think it should be the most generic one  
>> that does not introduce any additional concepts to the XACML (like  
>> naming schemes and such).
>
> I agree with Daniel on this point. One of the strengths of the  
> XACML core (in my opinion) is that it deals with a policy  
> processing model, not the specifics of how XACML systems interact  
> with the world around them.
>
> The idea of generic hierarchies is that a PEP should be able to  
> name a root, and that should result in a PDP processing multiple  
> requests. How that mapping happens is up to some entity outside the  
> scope of XACML. It seems to me like what we're really talking about  
> in this thread is a profile for specific mechanisms or more  
> detailed examples of actual implementation possibilities. I think  
> this kind of clarity is great to have, but should be in a separate  
> place from the abstract discussion of hierarchies (which I think is  
> also Daniel's point). I also think Erik's suggestion makes sense:  
> we should continue to look at these details, but move the core docs  
> forward separately.
>
>
> seth

  


Hi Seth and Daniel,


It appears to me that this discussion is starting to take a trajectory
independent of what is currently in the Hierarchical resource profile.
This profile, as specified in the abstract and throughout discusses the
procedures for dealing with resources that are structured as
hierarchies and are represented by one of two types of "nodes in a
hierarchy".


  
In one type the resources are represented as "nodes in XML
documents".
  
In the other type, the resources are represented "in some non-XML
way".

If that was the end of the spec, then maybe I would agree with your
opinions on how "generic" you are suggesting the non-XML way should be.
However, when you get past the front cover, you quickly come on section
2.2 which states the following:


  
The identity of a node in a hierarchical resource that is not
represented as an XML document instance SHALL be represented as a URI
that conforms to [RFC2396]. Such URIs are of the following form.

<scheme> “:” <authority> “/” <pathname>

In case one thinks that is not specific enough wrt to how it relates to
hierarchy, section 2.2 goes on to state:


  
The <pathname> portion of the URI SHALL be of the form

<root name> [ “/” <node name> ]*

The sequence of <root name> and <node name> values SHALL
correspond to the individual hierarchical component names of ancestors
of the represented node along the path from a <root> node to the
represented node.

Finally, section 4, that describes how to state policies that apply to
nodes says in section 4.1:


  
The representations of the identities of these parents,
ancestors, or self will not necessarily indicate the path from the root
of the hierarchy to the respective parent, ancestor, or self unless the
representation recommended in Section 3.2(should say 2.2): Nodes
in a resource that is not an XML document is used.

and for the specifically non-XML resource case in section 4.3:


  
For hierarchical resources that are not represented as XML
document instances, and where the URI representation of nodes specified
in Section 2 of this Profile is used, the following functions
described in the XACML 2.0 Specification [XACML] MAY be used to state
policies that apply to one or more nodes in that resource.
urn:oasis:names:tc:xacml:1.0:function:anyURI-equal

urn:oasis:names:tc:xacml:1.0:function:regexp-uri-match

  (should be ...2.0:function:anyURI-regexp-match)

My whole purpose in pursuing this thread has been to correct what I
perceive as a flaw in the spec which to a large degree is the result of
not showing in section 3.2 how URIs can be used as an alternative to
the specific algorithms bulleted in section 3.2.

With URIs you do not need the algorithms because the URIs representing
the normative identities of the requested node already contain:


  
"each normative representation of the requested node"
  
"each immediate parent of the node specified"
  
"each ancestor of the node specified"

Nothing else is needed. Note however, that doing the analysis with URIs
points out what might be considered to be a flaw in the bulleted
algorithms. The bulleted algorithms require obtaining all parents of
the requested node's parent on up the line, regardless of whether those
additional parents are connected to the requested node by an explicit
hierarchical relationship or not.


i.e. the bulleted scheme implicitly forces the requested node to
collect ancestors that have not been structurally assigned any direct
relationship to the requested node. When hierarchies are used to
represent lines of authority, these additional relationships are not
relevant and obscure the real lines of authority which are generally
what is of interest in enterprise security.


With the URI scheme it would be simple enough to collect these
extraneous ancestors if they were desired for some reason, by simply
using the bulleted algorithms as is, and using URIs found in ancestors
that are not on the requested node's direct path.


However, it is my opinion, that the primary purpose of these
specifications is to inform consumers of these specifications on the
capabilities contained within the spec so that they may then apply
those capabilities to meet their needs.


By only including the bulleted ancestor algorithms in section
3.2, the capabilities of URI, which are clearly specified in the rest
of the spec, and were included in the example document in the XACML
archive (see section 4.2, 4.3 of
http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf),
we are effectively making the URI capability so obscure in the spec
as to be unusable.


The inclusion of the URI in the spec was an essential part of its
creation, although there was not universal agreement as to whether it
should be included, as described in this email:

http://lists.oasis-open.org/archives/xacml/200405/msg00104.html


The fact is that URI was included and it remains there, and from my
perspective represents an extremely significant ease of use capability.
The purpose of my next round of planned changes is to bring the URI out
of the darkness so that a reader of section 3.2 will be aware of its
availability. This also fills the hole between the URI descriptions in
sections 2.2 and 4.3 as URI relates to nonXML resources.


Again, my proposed changes do not change any functionality, they simply
explain the capabilities that are currently there, which because of the
obscure representation of the existing functionality in the current
spec are nearly impossible to understand.


    Thanks,

    Rich



Seth Proctor wrote:
499C53A6.9050409@sun.com" type="cite">

  
There are many way to create hierarchical
structures.   If we are to publish anything, I think it should be the
most generic one that does not introduce any additional concepts to the
XACML (like naming schemes and such).

  


I agree with Daniel on this point. One of the strengths of the XACML
core (in my opinion) is that it deals with a policy processing model,
not the specifics of how XACML systems interact with the world around
them.


The idea of generic hierarchies is that a PEP should be able to name a
root, and that should result in a PDP processing multiple requests. How
that mapping happens is up to some entity outside the scope of XACML.
It seems to me like what we're really talking about in this thread is a
profile for specific mechanisms or more detailed examples of actual
implementation possibilities. I think this kind of clarity is great to
have, but should be in a separate place from the abstract discussion of
hierarchies (which I think is also Daniel's point). I also think Erik's
suggestion makes sense: we should continue to look at these details,
but move the core docs forward separately.



seth


---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

With URIs you do not need the algorithms because the URIs representing the normative identities of the requested node already contain:
 
  
"each normative representation of the requested node"
  
"each immediate parent of the node specified"
  
"each ancestor of the node specified"
 
 Nothing else is needed. Note however, that doing the analysis with URIs points out what might be considered to be a flaw in the bulleted algorithms. The bulleted algorithms require obtaining all parents of the requested node's parent on up the line, regardless of whether those additional parents are connected to the requested node by an explicit hierarchical relationship or not.


No, much more is needed.   There may be more then one immediate parent.    Ancestor nodes may use a different naming convention.    There is no need to force them to be on the same tree.

URI approach is not generic enough.  It is not a viable substitute for a generic profile.

 i.e. the bulleted scheme implicitly forces the requested node to collect ancestors that have not been structurally assigned any direct relationship to the requested node. When hierarchies are used to represent lines of authority, these additional relationships are not relevant and obscure the real lines of authority which are generally what is of interest in enterprise security.


The text in bold is incorrect.   This profile has nothing to do with lines of authority.   You are bringing in a completely unrelated concept.


 However, it is my opinion, that the primary purpose of these specifications is to inform consumers of these specifications on the capabilities contained within the spec so that they may then apply those capabilities to meet their needs.


Yes, and does its job without any URI naming schemes.


 By only including the bulleted ancestor algorithms in section 3.2, the capabilities of URI, which are clearly specified in the rest of the spec, and were included in the example document in the XACML archive (see section 4.2, 4.3 of http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf), we are effectively making the URI capability so obscure in the spec as to be unusable.


That is an assertion that I strongly disagree with.    It is not unusable.     



 Again, my proposed changes do not change any functionality, they simply explain the capabilities that are currently there, which because of the obscure representation of the existing functionality in the current spec are nearly impossible to understand.


It does change functionality.    It introduces an unrelated and burdensome concept of hierarchical naming scheme, and it reduces the flexibility of the approach.


Daniel;

  


Daniel, Seth, Erik, and TC,


As should be seen from my replies in line, it appears to me the
fundamental point of disagreement here is about the definition of the
term "hierarchy". If we stick to the generally accepted definition that
an object in a hierarchy can have at most one parent, then a URI solves
the problem without having to look beyond the URI itself (a rather
remarkable and powerful property). If we define a forest to be a
collection of hierarchies, where, like in a forest, even though the
members are intertwined, they do not lose their identity, then each
node having a set of URIs as its normative identifiers solves the
problem, as all the parents, ancestors, are self-contained in the set
of URIs.


However, if we allow the hierarchies to break down and lose their
inherent hierarchical properties, then more complicated approaches,
such as going outside the initial request context to get more nodes,
although still solvable w URIs as demo'd below, are needed.


Again, I am not trying to add or change any of the existing
functionality, which, as described below is currently designed to
address the "more complicated than hierarchies" problem. I think one of
the main problems with the spec is that it leads you to think you are
addressing a problem related to hierarchies, yet the solution described
is much more general than that, which, imo, is misleading, unless it is
appropriately documented as such. And if the resources under
consideration are not identified by hierarchical names then the
approach currently in the spec, qualified by whether it is strict
hierarchies or hierarchies obscured by non-hierarchical relations that
are incidentally introduced when using multiple hierarchies and not
keeping track of the origin of each hierarchy.


However, I do want to show by example how the strictly defined
hierarchy and forest of hierarchies, that each retain their initial
hierarchy properties, is addressed using URIs along the lines of the
example document that is in the archives and referenced below.


    Thanks,

    Rich (additional replies inline below)


Daniel Engovatov wrote:
daniel@streamdynamics.com,FC725CD6-9BC5-4AF3-B820-21EC4" type="cite">

  


With URIs you do not need the algorithms because the URIs representing
the normative identities of the requested node already contain:

"each normative representation of the requested node"

"each immediate parent of the node specified"

"each ancestor of the node specified"

Nothing else is needed. Note however, that doing the analysis with URIs
points out what might be considered to be a flaw in the bulleted
algorithms. The bulleted algorithms require obtaining all parents of
the requested node's parent on up the line, regardless of whether those
additional parents are connected to the requested node by an explicit
hierarchical relationship or not.


  


No, much more is needed.   There may be more then one immediate
parent.    Ancestor nodes may use a different naming convention.   
There is no need to force them to be on the same tree.


This may be at the core of this issue. In a hierarchy, an node can have
at most one parent. A node can belong to more than one hierarchy, in
which case it has one parent for each hierarchy it belongs to. As soon
as we start defining structures  where the normative identity of a node
can have more than one parent directly related to it, we are no longer
talking about hierarchies, but some other more general structure.
However, this is the "Hierarchical Resource Profile", where the subject
is to


  
provide access control for a resource that is organized as a
hierarchy.

I agree if we try to develop solutions for more complicated problems
then "much more" will probably be needed. But if we are dealing with
hierarchies, the URI fully defines the necessary capabilities.

daniel@streamdynamics.com,FC725CD6-9BC5-4AF3-B820-21EC4" type="cite">

URI approach is not generic enough.  It is not a viable substitute for
a generic profile.


But this is not a "generic profile" it is the "Hierarchical profile".

daniel@streamdynamics.com,FC725CD6-9BC5-4AF3-B820-21EC4" type="cite">

  
i.e. the bulleted scheme implicitly forces
the requested node to collect ancestors that have not been structurally
assigned any direct relationship to the requested node. When
hierarchies are used to represent lines of authority, these additional
relationships are not relevant and obscure the real lines of authority
which are generally what is of interest in enterprise security.


  


The text in bold is incorrect.   This profile has nothing to do with
lines of authority.   You are bringing in a completely unrelated
concept.


It is simply a concrete real world realization of the notion of
hierarchy used for illustrative purposes to give people context to help
them understand the nature of the problem that is being addressed.


daniel@streamdynamics.com,FC725CD6-9BC5-4AF3-B820-21EC4" type="cite">


  
However, it is my opinion, that the primary
purpose of these specifications is to inform consumers of these
specifications on the capabilities contained within the spec so that
they may then apply those capabilities to meet their needs.


  


Yes, and does its job without any URI naming schemes.


However, it does the job in a much more difficult to understand manner,
which is probably because it is a mechanism that appears to be intended
more complex problems than hierarchies.

daniel@streamdynamics.com,FC725CD6-9BC5-4AF3-B820-21EC4" type="cite">


  
By only including the bulleted ancestor
algorithms in section 3.2, the capabilities of URI, which are clearly
specified in the rest of the spec, and were included in the example
document in the XACML archive (see section 4.2, 4.3 of
http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf),
we are effectively making the URI capability so obscure in the spec as
to be unusable.


  


That is an assertion that I strongly disagree with.    It is not
unusable.


I agree. That is an overstatement. I should have said "so obscure as to
be unusable in the normal manner one would expect to use URIs", which
is shown in the example document that was part of the process of
developing this specification:

http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf


daniel@streamdynamics.com,FC725CD6-9BC5-4AF3-B820-21EC4" type="cite">


  


Again, my proposed changes do not change any functionality, they simply
explain the capabilities that are currently there, which because of the
obscure representation of the existing functionality in the current
spec are nearly impossible to understand.


  


It does change functionality.    It introduces an unrelated and
burdensome concept of hierarchical naming scheme, and it reduces the
flexibility of the approach.



Again, I have to repeat that I am not "introducing" the URI scheme. It
is already there in sections 2.2, 4.1, 4.3 with explicit descriptions
of how it can be used. What's missing is an operational description of
how it can be used in section 3.2.

Furthermore, it does not reduce any functionality related to
hierarchies, but I agree that in its most basic form it would not solve
the more general non-hierarchical problem. However, as explained in
previous email, that is easily corrected, by "going out" and getting
the non-hierarchical guests that are collected in its ancestors. In its
basic form, intended to address the pure problem of a forest of
multiple hierarchies, it does not need to "go out" for anything,
because all the required information is contained in the normative
identities of the requested node.

daniel@streamdynamics.com,FC725CD6-9BC5-4AF3-B820-21EC4" type="cite">

Daniel;

On Feb 18, 2009, at 3:05 PM, Rich.Levinson wrote:

> Daniel, Seth, Erik, and TC,
>
>  If we stick to the generally accepted definition that an object in  
> a hierarchy can have at most one parent, then a URI solves the  
> problem without having to look beyond the URI itself

It is NOT a generally accepted definition and we did not stick to it  
on purpose.


> However, if we allow the hierarchies to break down and lose their  
> inherent hierarchical properties, then more complicated approaches,  
> such as going outside the initial request context to get more  
> nodes, although still solvable w URIs as demo'd below, are needed.
>

It is NOT "broken down"


> Again, I am not trying to add or change any of the existing  
> functionality,

You are proposing an addition that is a subset of the more general  
approach.

I understand that you favor a different approach to this problem.     
It may be worth our while to create a separate profile for such an  
approach, but I do not see any reason to muddy the existing one.


Daniel;

  


Hi Daniel and TC,


Hopefully, those who have followed the details of these emails
recognize that each step in the sequence has advanced the discussion in
a consistent manner and as a result we have done a fairly thorough job
of mapping out the problem space that is under discussion. In any event
I believe my comments in this email continue to advance the discussion
in a worthwhile manner, and I think will describe the complete problem
space as well as give a clear description of the options available, all
of which offer full functionality.


In the current phase, if I am not mistaken, it is a straight-forward
matter to apply definitions to the distinct categories of problems and
simply observe that we have two sets of tools which are equally
effective at solving each category of problem, where


  
one set of tools (let's call it the "ancestor method") is most
effective when one is dealing with resources where it is not possible
or desirable to apply URIs as normative identifiers
  
a second set of tools (let's call it the "URI method") which is
available when one is dealing with resources where URIs can be applied
as normative identifiers, and the designers want to take advantage of
the powerful features inherent in URI objects, esp when applied to
hierarchical problems.

Let me address Daniel's points below, then try to summarize the present
state of the discussion:


Daniel Engovatov wrote:
daniel@streamdynamics.com,44669005-E297-4A36-910E-FC8D0" type="cite">

On Feb 18, 2009, at 3:05 PM, Rich.Levinson wrote:


  
Daniel, Seth, Erik, and TC,


 If we stick to the generally accepted definition that an object in a
hierarchy can have at most one parent, then a URI solves the problem
without having to look beyond the URI itself

  


It is NOT a generally accepted definition and we did not stick to it on
purpose.



Whether it is generally accepted or not is probably not important here,
however, it is consistent with the structure of XML documents, such
that when we are talking about a "single hierarchy" of nonXML resources
that if we assert that this implies a structural relationship
equivalent to the structural relationship of the nodes of a well-formed
XML document, which is that each element can have at most one parent,
and the top element or node has zero parents.


This gives us a crisp unambiguous definition of the term "hierarchy"
which can be applied both to the XML and nonXML resources, and it
totally avoids trying to determine whether it is an "accepted"
definition or not, since that property is no longer relevant.


The point of this definition is to give us a conceptual framework
within which to evaluate the two primary use cases of the DAG, which as
will be explained are also clear and unambiguous well-defined use cases.

daniel@streamdynamics.com,44669005-E297-4A36-910E-FC8D0" type="cite">

  
However, if we allow the hierarchies to break
down and lose their inherent hierarchical properties, then more
complicated approaches, such as going outside the initial request
context to get more nodes, although still solvable w URIs as demo'd
below, are needed.


  


It is NOT "broken down"


True, in an absolute sense nothing is "broken", however, what has
happened is that we have allowed one class of DAG representation to be
impacted in such a way that we have allowed it to become the second
class of DAG representation because we did not clearly define the
distinction and what was to be allowed and not allowed. This has
nothing to with whether the ancestor or URI method is used. It has only
to do with the relationships that are allowed to be represented when
two resources are "connected" by virtue of their hierarchical
relationship being established.


Specifically, one has a choice of:


  
only allowing the relationship that is being established to be
active. For example if my boss is assigned to be subordinate to a task
force leader when a cross functional team is being set up, this case
would say that has no impact on my relationship with the task force
leader unless I am a member of the task force. i.e. the task force
leader has control over my boss's resources to whatever degree is
implied by the task force situation, however the task force leader has
zero direct control over my resources as a result of this assignment.
In this model, that direct control could be simply be established by
either assigning me directly to the task force leader, or assigning me
a second subordinate relationship to my boss in the context of the task
force relationship.

This is a clearly defined process, where there is no ambiguity about
relationships between the resources. If you want the relationship, you
explicitly establish it, if not, you don't.


  
  
the other choice is the exact opposite, namely allowing
incidental relationships to be established simply because they connect
to a node with direct relationships. To take an extreme light-spirited
example, for the purpose of showing how "extraneous" relations are
introduced, if the company CEO was a member of a company bowling team,
where the captain of the bowling team happened to be a junior software
engineer who just joined the company, then everyone in the company
would suddenly have this junior engineer as their ancestor. Possibly
this would be disallowed by acyclic graph rules, but a similar
situation would occur if the VP of engineering was on a bowling team
captained by the junior sales trainee, who would now be ancestor to
everyone in engineering organization.

Both methods are acceptable for assigning relationships, but one or the
other may be more effective for one or another type of organization.
Personally, I think most enterprise security departments would favor
the first approach, because it appears to offer more direct control and
less chance of unintended consequences resulting from the assignment of
a direct relationship.


However, either choice can be used with either the "ancestor method" or
the "URI method". Which choice is made is a function of the node
collecting algorithm that is used for policy evaluation. i.e. when you
collect the parent nodes of the requested node,


  
choice 1 above means only collect those nodes to which the parent
has a direct relationship with the requested node,

  
  
and choice 2 means collect all the nodes of choice 1 plus all
other nodes where the parent has a hierarchical relationship that does
not directly involve the requested node.

These are the two primary use cases of the DAG, which were mentioned
above. Which use case is chosen depends only on the node collection
algorithm and not how the nodes are represented. i.e. parents and
ancestors exist whether or not they are incorporated for handy access
within a URI or not.

When the URI can be used, the URI collection within the requested node
itself contains all the nodes that will be collected with method 1 and
there is no need to access any additional information.


daniel@streamdynamics.com,44669005-E297-4A36-910E-FC8D0" type="cite">


  
Again, I am not trying to add or change any
of the existing functionality,

  


You are proposing an addition that is a subset of the more general
approach.


Hopefully, the description above satisfactorily demonstrates that the
URIs are simply a concrete mechanism to implement the general solution.
It is also a mechanism that, if used effectively, appears to be much
more efficient since all nodes that need to be collected in method 1
actually are already contained in the URI collection of the requested
node.

Therefore it is a concrete representation of the general approach,
however it is a concrete representation that capitalizes on the fact
that the object used to represent the node (the URI) has an equivalent
structure to the spatial relationships of the nodes in the DAG that
need to be collected in method 1, and so those nodes do not need to
collected at all since they are already present.

The same structural relationship exists in method 2, however, method 2
fans out so far so fast that collection outside the requested node will
be required to fulfill the needs of method 2.

It is functionally equivalent to the general approach, however, it has
the advantage that a single URI contains the normative identity of all
the required nodes for method 1 and some for method 2.

daniel@streamdynamics.com,44669005-E297-4A36-910E-FC8D0" type="cite">

I understand that you favor a different approach to this problem.    It
may be worth our while to create a separate profile for such an
approach, but I do not see any reason to muddy the existing one.



It should be clear from the above discussion that showing how URIs
address the same problem is not a "different approach". It is the same
approach, except the work required to collect the nodes is a lot less,
and can be eliminated almost completely depending on what node
collection strategy is chosen, method 1 or method 2.


Finally, it should be clear that the bulleted algorithms in section 3.2
of the spec represent a nonURI approach using a method 2 collection
algorithm.


Now that the problem is clearly defined, I expect it will take much
fewer words than have been exchanged in these emails to explain the
available options in section 3.2, which are:


  
method 1 node collection, URI method (all nodes required are in
requested node)
  
method 1 node collection, ancestor method: (requested node has
pointers to parents, but need to recursively navigate to parent to
advance up the hierarchy, but does not navigate thru nodes of which the
requested node is not a hierarchy member)
  
method 2 node collection, URI method (subset of nodes required
are in requested node, the rest must be obtained by recursively
navigating based on parent hierarchy nodes of which requested node is
not a member)
  
method 2 node collection, ancestor method (this is the algorithm
currently in section 3.2 bullets and need to recursively navigate thru
all parent nodes regardless of whether requested node is a member of
the hierarchy or not.)

These 2 choices of node collection are implicit in the DAG problem
definition and are not currently explained in the document and I
believe need to be. i.e. a DAG is the result of a set of hierarchies
(as defined above) being layed across a set of resources. i.e. it is
the result of a set of explicit relations being applied between pairs
of nodes. The "choice" is whether to retain the "history" of why those
relations were applied (i.e. the direct relations) or not. If you don't
then additional, indirect, extraneous relations automatically appear
and there is no way distinguish between them and the direct relations,
at least in the "general" or "ancestor" case. In the URI case, the
direct and indirect relations are always present and may be used or not
as a matter of choice.


The choice of ancestor or URI method for node identification is simply
whether URI "can" be used and whether URI is "desired" to be used.
Functionally, URI will produce the same results.


    Thanks,

    Rich


daniel@streamdynamics.com,44669005-E297-4A36-910E-FC8D0" type="cite">

Daniel;

All,

I've been in a rush today, so I haven't followed every detail in the 
discussion, but basically, here is how it appears to me:

* The profile, as it stands today, does specify the limited URI scheme 
which Rich describes. It says in section 2.2 that:

--8<--
The 

On Feb 19, 2009, at 6:57 AM, Erik Rissanen wrote:

> All,
>
> I've been in a rush today, so I haven't followed every detail in  
> the discussion, but basically, here is how it appears to me:
>
> * The profile, as it stands today, does specify the limited URI  
> scheme which Rich describes. It says in section 2.2 that:
>
> --8<--
> The 

  
  


Hi Erik,


A few points I'd like you to consider with respect to your first point:


  
I am not sure why you have chosen to refer the URI scheme as the
"limited URI scheme", because as I showed in previous emails, it
appears that the URI scheme is, in fact, more general than what you
refer to as the "more general approach advocated by Daniel". The
reasons for this are quite simple. First, the URI scheme is
functionally equivalent and more efficient as can be easily seen as
follows:

  
  

    
in the ancestor scheme, as I understand it, we might have a
node, "a", which is a normative identity for a particular node, and it
might have 2 ancestors, a parent, "b", and ancestor "c".

Presumably, if a request to access "a" comes in, the CH will have to
gather the ancestors. This means the CH must have some means of finding
out that "b" and "c" are the ancestors of "a". Since this information
is not included in the node name of "a", the CH must look elsewhere.
    
in the URI scheme, I would name my "a" node as "/c/b/a" using
the same strings as above. In the URI scheme, a request for "a" would
come in as "/c/b/a". In this case, the CH is done, it doesn't have to
go looking for ancestors for 2 reasons: 1. because it doesn't need
them, 2. even if it did need them, they are already there.


  
  
The reason why the URI scheme is more general is a bit subtle,
but still should be straight-forward to understand. The subtlety is
that when presented from an inverted perspective, it might at first
appear that the ancestor scheme is more general, but a few quick points
should explain why that is not the case:
  

    
Sticking with the same use case as above as a starting point,
let us consider the case where "b" has 2 parent nodes "c" and "d". I
don't believe there are many people who would argue that this structure
is still a hierarchy, however a rational case could be made that it is
actually 2 hierarchies, one headed by "c" and one headed by "d". In
this case "b" would be a member of 2 hierarchies.

    
At this point the differences in the two methods becomes clear.
Let us first look at the ancestor case. Because a relationship between
"d" and "b" has been established, does that mean there is now a
relation between "d" and "a". In the ancestor case, the answer is "yes".
    
If we now look at the same use case with the URI method and ask
the question whether there is now a relation between "d" and "a" the
answer is "no".
    
One says yes, the other says no. Does this mean they are simply
"equal" in capability, but different in "result"? Similar to a xacml
Rule that can be designed for Permit or Deny?
    
If that was the end of the story, then one could say they are
equal in capability, but it is not the end of the story.
    
In the URI case, we may now establish a 2nd relation /d/b/a,
which now will produce the answer yes, when asked the question whether
there is now a relation between "d" and "a".
    
Therefore the URI scheme can produce both a yes and a no to
this question, while the ancestor scheme can produce only a yes.
Therefore the URI scheme has greater capabilities and is thus, more
general than the ancestor scheme.
    
QED
  

Again, this is not a change to the profile, this is simply exposing a
capability of using the URIs in the profile that is not present when
using the ancestors.


There is a 2nd issue that I will also comment on shortly in a separate
email, so that we may reference these use cases in a discrete manner.


    Thanks,

    Rich



Erik Rissanen wrote:
499D7368.8040709@axiomatics.com" type="cite">All,


I've been in a rush today, so I haven't followed every detail in the
discussion, but basically, here is how it appears to me:


* The profile, as it stands today, does specify the limited URI scheme
which Rich describes. It says in section 2.2 that:


--8<--

The <pathname> portion of the URI SHALL be of the form


<root name> [ “/” <node name> ]*


The sequence of <root name> and <node name> values SHALL
correspond to the individual hierarchical component names of ancestors
of the represented node along the path from a <root> node to the
represented node.

--8<--


So it in fact says that the identifiers must consists of paths with the
names of the ancestors.


* If I understand Daniel correctly, he says that each node should be
allowed to have a name which is entirely independent of the other nodes
in the hierarchy. Relations between the nodes are maintained in a
manner not specified by XACML and are expressed in XACML Requests and
policies in the form of the attributes resource-parent,
resource-ancestor, etc. I think that the more general approach
advocated by Daniel would be the correct way to go, so I agree with him
(and Seth I believe. :-))


* I also think as suggested on the XACML comments/users list that the
data type of the node identifier should not be limited to URIs only.


But I would prefer to leave major changes to the hierarchical profile
out of the first batch of CD documents.


Best regards,

Erik



Rich.Levinson wrote:

  
Hi Daniel and TC,


Hopefully, those who have followed the details of these emails
recognize that each step in the sequence has advanced the discussion in
a consistent manner and as a result we have done a fairly thorough job
of mapping out the problem space that is under discussion. In any event
I believe my comments in this email continue to advance the discussion
in a worthwhile manner, and I think will describe the complete problem
space as well as give a clear description of the options available, all
of which offer full functionality.


In the current phase, if I am not mistaken, it is a straight-forward
matter to apply definitions to the distinct categories of problems and
simply observe that we have two sets of tools which are equally
effective at solving each category of problem, where


    * one set of tools (let's call it the "ancestor method") is most

      effective when one is dealing with resources where it is not

      possible or desirable to apply URIs as normative identifiers

    * a second set of tools (let's call it the "URI method") which is

      available when one is dealing with resources where URIs can be

      applied as normative identifiers, and the designers want to take

      advantage of the powerful features inherent in URI objects, esp

      when applied to hierarchical problems.


Let me address Daniel's points below, then try to summarize the present
state of the discussion:


Daniel Engovatov wrote:


On Feb 18, 2009, at 3:05 PM, Rich.Levinson wrote:

  
Daniel, Seth, Erik, and TC,


If we stick to the generally accepted definition that an object in a
hierarchy can have at most one parent, then a URI solves the problem
without having to look beyond the URI itself
  


It is NOT a generally accepted definition and we did not stick to it on
purpose.


Whether it is generally accepted or not is probably not important here,
however, it is consistent with the structure of XML documents, such
that when we are talking about a "single hierarchy" of nonXML resources
that if we assert that this implies a structural relationship
equivalent to the structural relationship of the nodes of a well-formed
XML document, which is that each element can have at most one parent,
and the top element or node has zero parents.


This gives us a crisp unambiguous definition of the term "hierarchy"
which can be applied both to the XML and nonXML resources, and it
totally avoids trying to determine whether it is an "accepted"
definition or not, since that property is no longer relevant.


The point of this definition is to give us a conceptual framework
within which to evaluate the two primary use cases of the DAG, which as
will be explained are also clear and unambiguous well-defined use
cases.

  
However, if we allow the hierarchies to
break down and lose their inherent hierarchical properties, then more
complicated approaches, such as going outside the initial request
context to get more nodes, although still solvable w URIs as demo'd
below, are needed.

  


It is NOT "broken down"

True, in an absolute sense nothing is "broken", however, what has
happened is that we have allowed one class of DAG representation to be
impacted in such a way that we have allowed it to become the second
class of DAG representation because we did not clearly define the
distinction and what was to be allowed and not allowed. This has
nothing to with whether the ancestor or URI method is used. It has only
to do with the relationships that are allowed to be represented when
two resources are "connected" by virtue of their hierarchical
relationship being established.


Specifically, one has a choice of:


   1. only allowing the relationship that is being established to be

      active. For example if my boss is assigned to be subordinate to

      a task force leader when a cross functional team is being set

      up, this case would say that has no impact on my relationship

      with the task force leader unless I am a member of the task

      force. i.e. the task force leader has control over my boss's

      resources to whatever degree is implied by the task force

      situation, however the task force leader has zero direct control

      over my resources as a result of this assignment. In this model,

      that direct control could be simply be established by either

      assigning me directly to the task force leader, or assigning me

      a second subordinate relationship to my boss in the context of

      the task force relationship.

      This is a clearly defined process, where there is no ambiguity

      about relationships between the resources. If you want the

      relationship, you explicitly establish it, if not, you don't.


   2. the other choice is the exact opposite, namely allowing

      incidental relationships to be established simply because they

      connect to a node with direct relationships. To take an extreme

      light-spirited example, for the purpose of showing how

      "extraneous" relations are introduced, if the company CEO was a

      member of a company bowling team, where the captain of the

      bowling team happened to be a junior software engineer who just

      joined the company, then everyone in the company would suddenly

      have this junior engineer as their ancestor. Possibly this would

      be disallowed by acyclic graph rules, but a similar situation

      would occur if the VP of engineering was on a bowling team

      captained by the junior sales trainee, who would now be ancestor

      to everyone in engineering organization.


Both methods are acceptable for assigning relationships, but one or the
other may be more effective for one or another type of organization.
Personally, I think most enterprise security departments would favor
the first approach, because it appears to offer more direct control and
less chance of unintended consequences resulting from the assignment of
a direct relationship.


However, either choice can be used with either the "ancestor method" or
the "URI method". Which choice is made is a function of the node
collecting algorithm that is used for policy evaluation. i.e. when you
collect the parent nodes of the requested node,


    * choice 1 above means only collect those nodes to which the

      parent has a direct relationship with the requested node,

    * and choice 2 means collect all the nodes of choice 1 plus all

      other nodes where the parent has a hierarchical relationship

      that does not directly involve the requested node.


These are the two primary use cases of the DAG, which were mentioned
above. Which use case is chosen depends only on the node collection
algorithm and not how the nodes are represented. i.e. parents and
ancestors exist whether or not they are incorporated for handy access
within a URI or not.

When the URI can be used, the URI collection within the requested node
itself contains all the nodes that will be collected with method 1 and
there is no need to access any additional information.



  
Again, I am not trying to add or change
any of the existing functionality,
  


You are proposing an addition that is a subset of the more general
approach.

Hopefully, the description above satisfactorily demonstrates that the
URIs are simply a concrete mechanism to implement the general solution.
It is also a mechanism that, if used effectively, appears to be much
more efficient since all nodes that need to be collected in method 1
actually are already contained in the URI collection of the requested
node.

Therefore it is a concrete representation of the general approach,
however it is a concrete representation that capitalizes on the fact
that the object used to represent the node (the URI) has an equivalent
structure to the spatial relationships of the nodes in the DAG that
need to be collected in method 1, and so those nodes do not need to
collected at all since they are already present.

The same structural relationship exists in method 2, however, method 2
fans out so far so fast that collection outside the requested node will
be required to fulfill the needs of method 2.

It is functionally equivalent to the general approach, however, it has
the advantage that a single URI contains the normative identity of all
the required nodes for method 1 and some for method 2.


I understand that you favor a different approach to this problem. It
may be worth our while to create a separate profile for such an
approach, but I do not see any reason to muddy the existing one.


It should be clear from the above discussion that showing how URIs
address the same problem is not a "different approach". It is the same
approach, except the work required to collect the nodes is a lot less,
and can be eliminated almost completely depending on what node
collection strategy is chosen, method 1 or method 2.


Finally, it should be clear that the bulleted algorithms in section 3.2
of the spec represent a nonURI approach using a method 2 collection
algorithm.


Now that the problem is clearly defined, I expect it will take much
fewer words than have been exchanged in these emails to explain the
available options in section 3.2, which are:


   1. method 1 node collection, URI method (all nodes required are in

      requested node)

   2. method 1 node collection, ancestor method: (requested node has

      pointers to parents, but need to recursively navigate to parent

      to advance up the hierarchy, but does not navigate thru nodes of

      which the requested node is not a hierarchy member)

   3. method 2 node collection, URI method (subset of nodes required

      are in requested node, the rest must be obtained by recursively

      navigating based on parent hierarchy nodes of which requested

      node is not a member)

   4. method 2 node collection, ancestor method (this is the algorithm

      currently in section 3.2 bullets and need to recursively

      navigate thru all parent nodes regardless of whether requested

      node is a member of the hierarchy or not.)


These 2 choices of node collection are implicit in the DAG problem
definition and are not currently explained in the document and I
believe need to be. i.e. a DAG is the result of a set of hierarchies
(as defined above) being layed across a set of resources. i.e. it is
the result of a set of explicit relations being applied between pairs
of nodes. The "choice" is whether to retain the "history" of why those
relations were applied (i.e. the direct relations) or not. If you don't
then additional, indirect, extraneous relations automatically appear
and there is no way distinguish between them and the direct relations,
at least in the "general" or "ancestor" case. In the URI case, the
direct and indirect relations are always present and may be used or not
as a matter of choice.


The choice of ancestor or URI method for node identification is simply
whether URI "can" be used and whether URI is "desired" to be used.
Functionally, URI will produce the same results.


Thanks,

Rich



Daniel;

  




---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Rich,

The ancestor scheme is more general since the hierarchy is completely 
independent from naming.

You could have a hierarchy where http://example.com/A is the parent of 
urn:oasis:xacml:D

You could also have a hierarchy where http://example.com/A is not the 
parent of http://example.com/A/B

Regards,
Eri,k


Rich.Levinson wrote:
> Hi Erik,
>
> A few points I'd like you to consider with respect to your first point:
>
>    1. I am not sure why you have chosen to refer the URI scheme as the
>       "limited URI scheme", because as I showed in previous emails, it
>       appears that the URI scheme is, in fact, more general than what
>       you refer to as the "more general approach advocated by Daniel".
>       The reasons for this are quite simple. First, the URI scheme is
>       functionally equivalent and more efficient as can be easily seen
>       as follows:
>           * in the ancestor scheme, as I understand it, we might have
>             a node, "a", which is a normative identity for a
>             particular node, and it might have 2 ancestors, a parent,
>             "b", and ancestor "c".
>             Presumably, if a request to access "a" comes in, the CH
>             will have to gather the ancestors. This means the CH must
>             have some means of finding out that "b" and "c" are the
>             ancestors of "a". Since this information is not included
>             in the node name of "a", the CH must look elsewhere.
>           * in the URI scheme, I would name my "a" node as "/c/b/a"
>             using the same strings as above. In the URI scheme, a
>             request for "a" would come in as "/c/b/a". In this case,
>             the CH is done, it doesn't have to go looking for
>             ancestors for 2 reasons: 1. because it doesn't need them,
>             2. even if it did need them, they are already there.
>
>    2. The reason why the URI scheme is more general is a bit subtle,
>       but still should be straight-forward to understand. The subtlety
>       is that when presented from an inverted perspective, it might at
>       first appear that the ancestor scheme is more general, but a few
>       quick points should explain why that is not the case:
>           * Sticking with the same use case as above as a starting
>             point, let us consider the case where "b" has 2 parent
>             nodes "c" and "d". I don't believe there are many people
>             who would argue that this structure is still a hierarchy,
>             however a rational case could be made that it is actually
>             2 hierarchies, one headed by "c" and one headed by "d". In
>             this case "b" would be a member of 2 hierarchies.
>           * At this point the differences in the two methods becomes
>             clear. Let us first look at the ancestor case. Because a
>             relationship between "d" and "b" has been established,
>             does that mean there is now a relation between "d" and
>             "a". In the ancestor case, the answer is "yes".
>           * If we now look at the same use case with the URI method
>             and ask the question whether there is now a relation
>             between "d" and "a" the answer is "no".
>           * One says yes, the other says no. Does this mean they are
>             simply "equal" in capability, but different in "result"?
>             Similar to a xacml Rule that can be designed for Permit or
>             Deny?
>           * If that was the end of the story, then one could say they
>             are equal in capability, but it is not the end of the story.
>           * In the URI case, we may now establish a 2nd relation
>             /d/b/a, which now will produce the answer yes, when asked
>             the question whether there is now a relation between "d"
>             and "a".
>           * Therefore the URI scheme can produce both a yes and a no
>             to this question, while the ancestor scheme can produce
>             only a yes. Therefore the URI scheme has greater
>             capabilities and is thus, more general than the ancestor
>             scheme.
>           * QED
>
> Again, this is not a change to the profile, this is simply exposing a 
> capability of using the URIs in the profile that is not present when 
> using the ancestors.
>
> There is a 2nd issue that I will also comment on shortly in a separate 
> email, so that we may reference these use cases in a discrete manner.
>
>     Thanks,
>     Rich
>
>
> Erik Rissanen wrote:
>> All,
>>
>> I've been in a rush today, so I haven't followed every detail in the 
>> discussion, but basically, here is how it appears to me:
>>
>> * The profile, as it stands today, does specify the limited URI 
>> scheme which Rich describes. It says in section 2.2 that:
>>
>> --8<--
>> The 

On Feb 20, 2009, at 1:34 AM, Erik Rissanen wrote:

> Hi Rich,
>
> The ancestor scheme is more general since the hierarchy is  
> completely independent from naming.
>
> You could have a hierarchy where http://example.com/A is the parent  
> of urn:oasis:xacml:D
>
> You could also have a hierarchy where http://example.com/A is not  
> the parent of http://example.com/A/B
>
> Regards,
> Eri,k
>
>


You got it.


> Rich.Levinson wrote:
>> Hi Erik,
>>
>> A few points I'd like you to consider with respect to your first  
>> point:
>>
>>    1. I am not sure why you have chosen to refer the URI scheme as  
>> the
>>       "limited URI scheme", because as I showed in previous  
>> emails, it
>>       appears that the URI scheme is, in fact, more general than what
>>       you refer to as the "more general approach advocated by  
>> Daniel".
>>       The reasons for this are quite simple. First, the URI scheme is
>>       functionally equivalent and more efficient as can be easily  
>> seen
>>       as follows:
>>           * in the ancestor scheme, as I understand it, we might have
>>             a node, "a", which is a normative identity for a
>>             particular node, and it might have 2 ancestors, a parent,
>>             "b", and ancestor "c".
>>             Presumably, if a request to access "a" comes in, the CH
>>             will have to gather the ancestors. This means the CH must
>>             have some means of finding out that "b" and "c" are the
>>             ancestors of "a". Since this information is not included
>>             in the node name of "a", the CH must look elsewhere.
>>           * in the URI scheme, I would name my "a" node as "/c/b/a"
>>             using the same strings as above. In the URI scheme, a
>>             request for "a" would come in as "/c/b/a". In this case,
>>             the CH is done, it doesn't have to go looking for
>>             ancestors for 2 reasons: 1. because it doesn't need them,
>>             2. even if it did need them, they are already there.
>>
>>    2. The reason why the URI scheme is more general is a bit subtle,
>>       but still should be straight-forward to understand. The  
>> subtlety
>>       is that when presented from an inverted perspective, it  
>> might at
>>       first appear that the ancestor scheme is more general, but a  
>> few
>>       quick points should explain why that is not the case:
>>           * Sticking with the same use case as above as a starting
>>             point, let us consider the case where "b" has 2 parent
>>             nodes "c" and "d". I don't believe there are many people
>>             who would argue that this structure is still a hierarchy,
>>             however a rational case could be made that it is actually
>>             2 hierarchies, one headed by "c" and one headed by  
>> "d". In
>>             this case "b" would be a member of 2 hierarchies.
>>           * At this point the differences in the two methods becomes
>>             clear. Let us first look at the ancestor case. Because a
>>             relationship between "d" and "b" has been established,
>>             does that mean there is now a relation between "d" and
>>             "a". In the ancestor case, the answer is "yes".
>>           * If we now look at the same use case with the URI method
>>             and ask the question whether there is now a relation
>>             between "d" and "a" the answer is "no".
>>           * One says yes, the other says no. Does this mean they are
>>             simply "equal" in capability, but different in "result"?
>>             Similar to a xacml Rule that can be designed for  
>> Permit or
>>             Deny?
>>           * If that was the end of the story, then one could say they
>>             are equal in capability, but it is not the end of the  
>> story.
>>           * In the URI case, we may now establish a 2nd relation
>>             /d/b/a, which now will produce the answer yes, when asked
>>             the question whether there is now a relation between "d"
>>             and "a".
>>           * Therefore the URI scheme can produce both a yes and a no
>>             to this question, while the ancestor scheme can produce
>>             only a yes. Therefore the URI scheme has greater
>>             capabilities and is thus, more general than the ancestor
>>             scheme.
>>           * QED
>>
>> Again, this is not a change to the profile, this is simply  
>> exposing a capability of using the URIs in the profile that is not  
>> present when using the ancestors.
>>
>> There is a 2nd issue that I will also comment on shortly in a  
>> separate email, so that we may reference these use cases in a  
>> discrete manner.
>>
>>     Thanks,
>>     Rich
>>
>>
>> Erik Rissanen wrote:
>>> All,
>>>
>>> I've been in a rush today, so I haven't followed every detail in  
>>> the discussion, but basically, here is how it appears to me:
>>>
>>> * The profile, as it stands today, does specify the limited URI  
>>> scheme which Rich describes. It says in section 2.2 that:
>>>
>>> --8<--
>>> The 

  


Hi Erik,


I agree that you can use a set of names, which maybe already existed
and use them simply on the basis of their superclass string property
and create any hierarchical relationships using some independent
method. But then you could not advertise that you were using a
hierarchical naming scheme, because would be wondering what happened to
the hierarchical properties of the naming scheme.


In fact, that is exactly what is being done in the Hierarchical
profile. By trying to capitalize on the value implied by the title
"Hierarchical Profile", and then implementing the spec using algorithms
of DAG, which in general destroys any hierarchical properties, the spec
is effectively self-contradictory.


In general, hierarchies are a subclass of DAG. In particular, a forest,
which is a disjoint set of trees is a subclass of DAG. The forest, by
its disjointness, retains the hierarchical properties of its member
nodes, by treating each node as a member of one or more explicit
hierarchies.


However, the ancestor method of section 3.2, is explicitly that part of
the DAG superclass that does not apply to the forest subclass. More
specifically, the ancestor method explicitly destroys the disjointness
of the trees within the forest, resulting in a structure that is
explicitly non-hierarchical.


As we have seen, users of this specification, who start out with an
inherently hierarchical set of resources, are immediately led to
implement this algorithm which will transform what is initially a
"hierarchical resource" into an explicitly non-hierarchical resource.


Since this specification is explicitly about providing:

"access control for a resource that is organized as a
hierarchy"


it is self-evident that using an algorithm for target matching that
will collect nodes that are not ancestral hierarchical nodes will
result in identifying non-applicable policies to be applied to the
request. This is certain to produce unexpected results.


If an organization were to invest a lot of time and resources building
a security infrastructure assuming they were using hierarchical
properties only based on this profile, and then found out that the
profile actually explicitly specifies only algorithms that will, in
general, disregard and violate the hierarchical structures of the
resources that are being managed, I expect that the organization that
produced this specification will have a lot of difficult questions to
answer.


    Thanks,

    Rich



Erik Rissanen wrote:
499E793D.7070201@axiomatics.com" type="cite">Hi
Rich,


The ancestor scheme is more general since the hierarchy is completely
independent from naming.


You could have a hierarchy where http://example.com/A is the parent of
urn:oasis:xacml:D


You could also have a hierarchy where http://example.com/A is not the
parent of http://example.com/A/B


Regards,

Eri,k



Rich.Levinson wrote:

  
Hi Erik,


A few points I'd like you to consider with respect to your first point:


   1. I am not sure why you have chosen to refer the URI scheme as the

      "limited URI scheme", because as I showed in previous emails, it

      appears that the URI scheme is, in fact, more general than what

      you refer to as the "more general approach advocated by Daniel".

      The reasons for this are quite simple. First, the URI scheme is

      functionally equivalent and more efficient as can be easily seen

      as follows:

          * in the ancestor scheme, as I understand it, we might have

            a node, "a", which is a normative identity for a

            particular node, and it might have 2 ancestors, a parent,

            "b", and ancestor "c".

            Presumably, if a request to access "a" comes in, the CH

            will have to gather the ancestors. This means the CH must

            have some means of finding out that "b" and "c" are the

            ancestors of "a". Since this information is not included

            in the node name of "a", the CH must look elsewhere.

          * in the URI scheme, I would name my "a" node as "/c/b/a"

            using the same strings as above. In the URI scheme, a

            request for "a" would come in as "/c/b/a". In this case,

            the CH is done, it doesn't have to go looking for

            ancestors for 2 reasons: 1. because it doesn't need them,

            2. even if it did need them, they are already there.


   2. The reason why the URI scheme is more general is a bit subtle,

      but still should be straight-forward to understand. The subtlety

      is that when presented from an inverted perspective, it might at

      first appear that the ancestor scheme is more general, but a few

      quick points should explain why that is not the case:

          * Sticking with the same use case as above as a starting

            point, let us consider the case where "b" has 2 parent

            nodes "c" and "d". I don't believe there are many people

            who would argue that this structure is still a hierarchy,

            however a rational case could be made that it is actually

            2 hierarchies, one headed by "c" and one headed by "d". In

            this case "b" would be a member of 2 hierarchies.

          * At this point the differences in the two methods becomes

            clear. Let us first look at the ancestor case. Because a

            relationship between "d" and "b" has been established,

            does that mean there is now a relation between "d" and

            "a". In the ancestor case, the answer is "yes".

          * If we now look at the same use case with the URI method

            and ask the question whether there is now a relation

            between "d" and "a" the answer is "no".

          * One says yes, the other says no. Does this mean they are

            simply "equal" in capability, but different in "result"?

            Similar to a xacml Rule that can be designed for Permit or

            Deny?

          * If that was the end of the story, then one could say they

            are equal in capability, but it is not the end of the
story.

          * In the URI case, we may now establish a 2nd relation

            /d/b/a, which now will produce the answer yes, when asked

            the question whether there is now a relation between "d"

            and "a".

          * Therefore the URI scheme can produce both a yes and a no

            to this question, while the ancestor scheme can produce

            only a yes. Therefore the URI scheme has greater

            capabilities and is thus, more general than the ancestor

            scheme.

          * QED


Again, this is not a change to the profile, this is simply exposing a
capability of using the URIs in the profile that is not present when
using the ancestors.


There is a 2nd issue that I will also comment on shortly in a separate
email, so that we may reference these use cases in a discrete manner.


    Thanks,

    Rich



Erik Rissanen wrote:
All,


I've been in a rush today, so I haven't followed every detail in the
discussion, but basically, here is how it appears to me:


* The profile, as it stands today, does specify the limited URI scheme
which Rich describes. It says in section 2.2 that:


--8<--

The <pathname> portion of the URI SHALL be of the form


<root name> [ “/” <node name> ]*


The sequence of <root name> and <node name> values SHALL
correspond to the individual hierarchical component names of ancestors
of the represented node along the path from a <root> node to the
represented node.

--8<--


So it in fact says that the identifiers must consists of paths with the
names of the ancestors.


* If I understand Daniel correctly, he says that each node should be
allowed to have a name which is entirely independent of the other nodes
in the hierarchy. Relations between the nodes are maintained in a
manner not specified by XACML and are expressed in XACML Requests and
policies in the form of the attributes resource-parent,
resource-ancestor, etc. I think that the more general approach
advocated by Daniel would be the correct way to go, so I agree with him
(and Seth I believe. :-))


* I also think as suggested on the XACML comments/users list that the
data type of the node identifier should not be limited to URIs only.


But I would prefer to leave major changes to the hierarchical profile
out of the first batch of CD documents.


Best regards,

Erik



Rich.Levinson wrote:
  
Hi Daniel and TC,


Hopefully, those who have followed the details of these emails
recognize that each step in the sequence has advanced the discussion in
a consistent manner and as a result we have done a fairly thorough job
of mapping out the problem space that is under discussion. In any event
I believe my comments in this email continue to advance the discussion
in a worthwhile manner, and I think will describe the complete problem
space as well as give a clear description of the options available, all
of which offer full functionality.


In the current phase, if I am not mistaken, it is a straight-forward
matter to apply definitions to the distinct categories of problems and
simply observe that we have two sets of tools which are equally
effective at solving each category of problem, where


    * one set of tools (let's call it the "ancestor method") is most

      effective when one is dealing with resources where it is not

      possible or desirable to apply URIs as normative identifiers

    * a second set of tools (let's call it the "URI method") which is

      available when one is dealing with resources where URIs can be

      applied as normative identifiers, and the designers want to take

      advantage of the powerful features inherent in URI objects, esp

      when applied to hierarchical problems.


Let me address Daniel's points below, then try to summarize the present
state of the discussion:


Daniel Engovatov wrote:
    


On Feb 18, 2009, at 3:05 PM, Rich.Levinson wrote:

      
Daniel, Seth, Erik, and TC,


If we stick to the generally accepted definition that an object in a
hierarchy can have at most one parent, then a URI solves the problem
without having to look beyond the URI itself
      


It is NOT a generally accepted definition and we did not stick to it on
purpose.

    
Whether it is generally accepted or not is probably not important here,
however, it is consistent with the structure of XML documents, such
that when we are talking about a "single hierarchy" of nonXML resources
that if we assert that this implies a structural relationship
equivalent to the structural relationship of the nodes of a well-formed
XML document, which is that each element can have at most one parent,
and the top element or node has zero parents.


This gives us a crisp unambiguous definition of the term "hierarchy"
which can be applied both to the XML and nonXML resources, and it
totally avoids trying to determine whether it is an "accepted"
definition or not, since that property is no longer relevant.


The point of this definition is to give us a conceptual framework
within which to evaluate the two primary use cases of the DAG, which as
will be explained are also clear and unambiguous well-defined use
cases.
    

      
However, if we allow the hierarchies
to break down and lose their inherent hierarchical properties, then
more complicated approaches, such as going outside the initial request
context to get more nodes, although still solvable w URIs as demo'd
below, are needed.

      


It is NOT "broken down"
    
True, in an absolute sense nothing is "broken", however, what has
happened is that we have allowed one class of DAG representation to be
impacted in such a way that we have allowed it to become the second
class of DAG representation because we did not clearly define the
distinction and what was to be allowed and not allowed. This has
nothing to with whether the ancestor or URI method is used. It has only
to do with the relationships that are allowed to be represented when
two resources are "connected" by virtue of their hierarchical
relationship being established.


Specifically, one has a choice of:


   1. only allowing the relationship that is being established to be

      active. For example if my boss is assigned to be subordinate to

      a task force leader when a cross functional team is being set

      up, this case would say that has no impact on my relationship

      with the task force leader unless I am a member of the task

      force. i.e. the task force leader has control over my boss's

      resources to whatever degree is implied by the task force

      situation, however the task force leader has zero direct control

      over my resources as a result of this assignment. In this model,

      that direct control could be simply be established by either

      assigning me directly to the task force leader, or assigning me

      a second subordinate relationship to my boss in the context of

      the task force relationship.

      This is a clearly defined process, where there is no ambiguity

      about relationships between the resources. If you want the

      relationship, you explicitly establish it, if not, you don't.


   2. the other choice is the exact opposite, namely allowing

      incidental relationships to be established simply because they

      connect to a node with direct relationships. To take an extreme

      light-spirited example, for the purpose of showing how

      "extraneous" relations are introduced, if the company CEO was a

      member of a company bowling team, where the captain of the

      bowling team happened to be a junior software engineer who just

      joined the company, then everyone in the company would suddenly

      have this junior engineer as their ancestor. Possibly this would

      be disallowed by acyclic graph rules, but a similar situation

      would occur if the VP of engineering was on a bowling team

      captained by the junior sales trainee, who would now be ancestor

      to everyone in engineering organization.


Both methods are acceptable for assigning relationships, but one or the
other may be more effective for one or another type of organization.
Personally, I think most enterprise security departments would favor
the first approach, because it appears to offer more direct control and
less chance of unintended consequences resulting from the assignment of
a direct relationship.


However, either choice can be used with either the "ancestor method" or
the "URI method". Which choice is made is a function of the node
collecting algorithm that is used for policy evaluation. i.e. when you
collect the parent nodes of the requested node,


    * choice 1 above means only collect those nodes to which the

      parent has a direct relationship with the requested node,

    * and choice 2 means collect all the nodes of choice 1 plus all

      other nodes where the parent has a hierarchical relationship

      that does not directly involve the requested node.


These are the two primary use cases of the DAG, which were mentioned
above. Which use case is chosen depends only on the node collection
algorithm and not how the nodes are represented. i.e. parents and
ancestors exist whether or not they are incorporated for handy access
within a URI or not.

When the URI can be used, the URI collection within the requested node
itself contains all the nodes that will be collected with method 1 and
there is no need to access any additional information.

    


      
Again, I am not trying to add or
change any of the existing functionality,
      


You are proposing an addition that is a subset of the more general
approach.
    
Hopefully, the description above satisfactorily demonstrates that the
URIs are simply a concrete mechanism to implement the general solution.
It is also a mechanism that, if used effectively, appears to be much
more efficient since all nodes that need to be collected in method 1
actually are already contained in the URI collection of the requested
node.

Therefore it is a concrete representation of the general approach,
however it is a concrete representation that capitalizes on the fact
that the object used to represent the node (the URI) has an equivalent
structure to the spatial relationships of the nodes in the DAG that
need to be collected in method 1, and so those nodes do not need to
collected at all since they are already present.

The same structural relationship exists in method 2, however, method 2
fans out so far so fast that collection outside the requested node will
be required to fulfill the needs of method 2.

It is functionally equivalent to the general approach, however, it has
the advantage that a single URI contains the normative identity of all
the required nodes for method 1 and some for method 2.
    


I understand that you favor a different approach to this problem. It
may be worth our while to create a separate profile for such an
approach, but I do not see any reason to muddy the existing one.

    
It should be clear from the above discussion that showing how URIs
address the same problem is not a "different approach". It is the same
approach, except the work required to collect the nodes is a lot less,
and can be eliminated almost completely depending on what node
collection strategy is chosen, method 1 or method 2.


Finally, it should be clear that the bulleted algorithms in section 3.2
of the spec represent a nonURI approach using a method 2 collection
algorithm.


Now that the problem is clearly defined, I expect it will take much
fewer words than have been exchanged in these emails to explain the
available options in section 3.2, which are:


   1. method 1 node collection, URI method (all nodes required are in

      requested node)

   2. method 1 node collection, ancestor method: (requested node has

      pointers to parents, but need to recursively navigate to parent

      to advance up the hierarchy, but does not navigate thru nodes of

      which the requested node is not a hierarchy member)

   3. method 2 node collection, URI method (subset of nodes required

      are in requested node, the rest must be obtained by recursively

      navigating based on parent hierarchy nodes of which requested

      node is not a member)

   4. method 2 node collection, ancestor method (this is the algorithm

      currently in section 3.2 bullets and need to recursively

      navigate thru all parent nodes regardless of whether requested

      node is a member of the hierarchy or not.)


These 2 choices of node collection are implicit in the DAG problem
definition and are not currently explained in the document and I
believe need to be. i.e. a DAG is the result of a set of hierarchies
(as defined above) being layed across a set of resources. i.e. it is
the result of a set of explicit relations being applied between pairs
of nodes. The "choice" is whether to retain the "history" of why those
relations were applied (i.e. the direct relations) or not. If you don't
then additional, indirect, extraneous relations automatically appear
and there is no way distinguish between them and the direct relations,
at least in the "general" or "ancestor" case. In the URI case, the
direct and indirect relations are always present and may be used or not
as a matter of choice.


The choice of ancestor or URI method for node identification is simply
whether URI "can" be used and whether URI is "desired" to be used.
Functionally, URI will produce the same results.


Thanks,

Rich

    


Daniel;
    
      




---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

  

On Feb 19, 2009, at 8:03 PM, Rich.Levinson wrote:

> Hi Erik,
>
> A few points I'd like you to consider with respect to your first  
> point:
> I am not sure why you have chosen to refer the URI scheme as the  
> "limited URI scheme", because as I showed in previous emails, it  
> appears that the URI scheme is, in fact, more general than what you  
> refer to as the "more general approach advocated by Daniel". The  
> reasons for this are quite simple. First, the URI scheme is  
> functionally equivalent and more efficient as can be easily seen as  
> follows:

I do not think you have shown it.

>
> in the ancestor scheme, as I understand it, we might have a node,  
> "a", which is a normative identity for a particular node, and it  
> might have 2 ancestors, a parent, "b", and ancestor "c".
> Presumably, if a request to access "a" comes in, the CH will have  
> to gather the ancestors. This means the CH must have some means of  
> finding out that "b" and "c" are the ancestors of "a". Since this  
> information is not included in the node name of "a", the CH must  
> look elsewhere.

You do not need to gather ancestors.  They are included in the  
attribute.  You need to gather applicable rules.   Rules have a  
specified target.

> in the URI scheme, I would name my "a" node as "/c/b/a" using the  
> same strings as above. In the URI scheme, a request for "a" would  
> come in as "/c/b/a". In this case, the CH is done, it doesn't have  
> to go looking for ancestors for 2 reasons: 1. because it doesn't  
> need them, 2. even if it did need them, they are already there.

I do not understand what "looking up ancestor" you are talking  
about.    One need to look up rules.

>
>
> The reason why the URI scheme is more general is a bit subtle, but  
> still should be straight-forward to understand. The subtlety is  
> that when presented from an inverted perspective, it might at first  
> appear that the ancestor scheme is more general, but a few quick  
> points should explain why that is not the case:
> Sticking with the same use case as above as a starting point, let  
> us consider the case where "b" has 2 parent nodes "c" and "d". I  
> don't believe there are many people who would argue that this  
> structure is still a hierarchy, however a rational case could be  
> made that it is actually 2 hierarchies, one headed by "c" and one  
> headed by "d". In this case "b" would be a member of 2 hierarchies.

I do not see anything "rational" in this case, and I do not see any  
reason why it could be made.  The rest of the argument is based on  
this flawed straw-men assumption.

Daniel;

  


Hi Erik,


With regard to your 2nd point on the comments/users list, it appears to
me that because the Hierarchical spec has the problems that I have
described in earlier emails, that the user has posed his question in
such a way that instead of advising the commenter on what appears to me
to be a simple obvious way to solve his problem, you instead have been
drawn into considering the user's suggestion that we change the specs
from the current explicit description in section 2.2 to one that
appears to me would significantly undermine the intent of the current
section 2.2.


Now that we have hammered away at the hierarchical profile for several
emails, and if people have been reading the details, we can now take
another look at the question the commenter raised, which I had
previously said we should revisit in the context of my proposal (item 3
here: http://lists.oasis-open.org/archives/xacml/200902/msg00004.html).


The commenter's question is here:

http://lists.oasis-open.org/archives/xacml-comment/200901/msg00003.html


Your reply to him, where you said you would bring the issue to the TC,
is here:

http://lists.oasis-open.org/archives/xacml/200901/msg00056.html


This example shows exactly why I believe it is NECESSARY to add the
clarifying text that I have been talking about to section 3.2.


It appears to me that this user has been clearly misled by the spec to
attempt to do what seems to me to be a wasteful and pointless exercise
of parsing URIs and then trying to make sense of the collection of
artifacts that he has produced. It appears to me that this is totally
unnecessary, and I would suggest that it has been a waste of his time
for being led down this path by the specifications, which is the point
I have repeatedly been making that the specs are insufficient in
section 3.2 in this regard .


I am concerned that instead of addressing this type of problem with the
capabilities currently in the spec, that we are being drawn down a
path, which will effectively dismantle the perfectly good functionality
that is in the spec by removing the URI capability as it currently
exists.


I think this user should be told that since his nodes are currently
identified by URIs that are in the form called for in section 2.2 that
he does not need to worry about collecting ancestors etc. and all he
needs to do is apply the XACML 2.0 anyURI-regexp-match as described in
section A.3.13 of the core spec and his problem is solved.


As described in section 4.3 of the example doc in the archive
(http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf),
this function is simply specified as:

<Apply FunctionId="&anyURI-regexp-match;">

  <AttributeValue DataType="&string;"

    >http://example.com/path/*</AttributeValue>

  <Apply FunctionId="&string-one-and-only;">

    <ResourceAttributeDesignator AttributeId="&resource-id;"

        DataType="&string;">

  </Apply>

</Apply>


This is the kind of guidance I am recommending that we add to section
3.2 of the Hierarchical Profile.


As I understand your email, an alternative suggestion to address this
user situation is to recommend that the user parse his URIs into
components, and that we change the spec to alter the currently defined
URI capability (to no longer be a URI capability, with all the inherent
capabilities of a URI) in order that the customer be able to do this?


Let me further point out that I don't think there is any need to change
the spec, because it already says in section 2 that governs 2.2 that:

"The following sections describe RECOMMENDED
representations for nodes in hierarchical resources. Alternative
representations of nodes in a given resource are permitted so long as
all Policy Administration Points and all Policy Enforcement Points that
deal with that resource have contracted to use the alternative
representation."


Therefore, if for some reason we advise against using what appears to
me to be an obvious standard capability described above with
anyURI-regexp-match, and would like users instead to parse their URIs
into components so that they can supply the components as a collection
of ancestors, I believe we are still able to do this because the
statement above appears to explicitly allows for nonURI
representations, in which case we would not have to do anything to
section 2.2.


However, to be perfectly honest, I still see no advantage to applying
the bulleted capability procedure of section 3.2 to nodes that are
already identified by URIs.


Comments welcome. I would really like to understand if there is a
legitimate reason for not using the URIs as is and replacing them by
collections of components.


    Thanks,  

    Rich






Erik Rissanen wrote:
499D7368.8040709@axiomatics.com" type="cite">All,


I've been in a rush today, so I haven't followed every detail in the
discussion, but basically, here is how it appears to me:


* The profile, as it stands today, does specify the limited URI scheme
which Rich describes. It says in section 2.2 that:


--8<--

The <pathname> portion of the URI SHALL be of the form


<root name> [ “/” <node name> ]*


The sequence of <root name> and <node name> values SHALL
correspond to the individual hierarchical component names of ancestors
of the represented node along the path from a <root> node to the
represented node.

--8<--


So it in fact says that the identifiers must consists of paths with the
names of the ancestors.


* If I understand Daniel correctly, he says that each node should be
allowed to have a name which is entirely independent of the other nodes
in the hierarchy. Relations between the nodes are maintained in a
manner not specified by XACML and are expressed in XACML Requests and
policies in the form of the attributes resource-parent,
resource-ancestor, etc. I think that the more general approach
advocated by Daniel would be the correct way to go, so I agree with him
(and Seth I believe. :-))


* I also think as suggested on the XACML comments/users list that the
data type of the node identifier should not be limited to URIs only.


But I would prefer to leave major changes to the hierarchical profile
out of the first batch of CD documents.


Best regards,

Erik



Rich.Levinson wrote:

  
Hi Daniel and TC,


Hopefully, those who have followed the details of these emails
recognize that each step in the sequence has advanced the discussion in
a consistent manner and as a result we have done a fairly thorough job
of mapping out the problem space that is under discussion. In any event
I believe my comments in this email continue to advance the discussion
in a worthwhile manner, and I think will describe the complete problem
space as well as give a clear description of the options available, all
of which offer full functionality.


In the current phase, if I am not mistaken, it is a straight-forward
matter to apply definitions to the distinct categories of problems and
simply observe that we have two sets of tools which are equally
effective at solving each category of problem, where


    * one set of tools (let's call it the "ancestor method") is most

      effective when one is dealing with resources where it is not

      possible or desirable to apply URIs as normative identifiers

    * a second set of tools (let's call it the "URI method") which is

      available when one is dealing with resources where URIs can be

      applied as normative identifiers, and the designers want to take

      advantage of the powerful features inherent in URI objects, esp

      when applied to hierarchical problems.


Let me address Daniel's points below, then try to summarize the present
state of the discussion:


Daniel Engovatov wrote:


On Feb 18, 2009, at 3:05 PM, Rich.Levinson wrote:

  
Daniel, Seth, Erik, and TC,


If we stick to the generally accepted definition that an object in a
hierarchy can have at most one parent, then a URI solves the problem
without having to look beyond the URI itself
  


It is NOT a generally accepted definition and we did not stick to it on
purpose.


Whether it is generally accepted or not is probably not important here,
however, it is consistent with the structure of XML documents, such
that when we are talking about a "single hierarchy" of nonXML resources
that if we assert that this implies a structural relationship
equivalent to the structural relationship of the nodes of a well-formed
XML document, which is that each element can have at most one parent,
and the top element or node has zero parents.


This gives us a crisp unambiguous definition of the term "hierarchy"
which can be applied both to the XML and nonXML resources, and it
totally avoids trying to determine whether it is an "accepted"
definition or not, since that property is no longer relevant.


The point of this definition is to give us a conceptual framework
within which to evaluate the two primary use cases of the DAG, which as
will be explained are also clear and unambiguous well-defined use
cases.

  
However, if we allow the hierarchies to
break down and lose their inherent hierarchical properties, then more
complicated approaches, such as going outside the initial request
context to get more nodes, although still solvable w URIs as demo'd
below, are needed.

  


It is NOT "broken down"

True, in an absolute sense nothing is "broken", however, what has
happened is that we have allowed one class of DAG representation to be
impacted in such a way that we have allowed it to become the second
class of DAG representation because we did not clearly define the
distinction and what was to be allowed and not allowed. This has
nothing to with whether the ancestor or URI method is used. It has only
to do with the relationships that are allowed to be represented when
two resources are "connected" by virtue of their hierarchical
relationship being established.


Specifically, one has a choice of:


   1. only allowing the relationship that is being established to be

      active. For example if my boss is assigned to be subordinate to

      a task force leader when a cross functional team is being set

      up, this case would say that has no impact on my relationship

      with the task force leader unless I am a member of the task

      force. i.e. the task force leader has control over my boss's

      resources to whatever degree is implied by the task force

      situation, however the task force leader has zero direct control

      over my resources as a result of this assignment. In this model,

      that direct control could be simply be established by either

      assigning me directly to the task force leader, or assigning me

      a second subordinate relationship to my boss in the context of

      the task force relationship.

      This is a clearly defined process, where there is no ambiguity

      about relationships between the resources. If you want the

      relationship, you explicitly establish it, if not, you don't.


   2. the other choice is the exact opposite, namely allowing

      incidental relationships to be established simply because they

      connect to a node with direct relationships. To take an extreme

      light-spirited example, for the purpose of showing how

      "extraneous" relations are introduced, if the company CEO was a

      member of a company bowling team, where the captain of the

      bowling team happened to be a junior software engineer who just

      joined the company, then everyone in the company would suddenly

      have this junior engineer as their ancestor. Possibly this would

      be disallowed by acyclic graph rules, but a similar situation

      would occur if the VP of engineering was on a bowling team

      captained by the junior sales trainee, who would now be ancestor

      to everyone in engineering organization.


Both methods are acceptable for assigning relationships, but one or the
other may be more effective for one or another type of organization.
Personally, I think most enterprise security departments would favor
the first approach, because it appears to offer more direct control and
less chance of unintended consequences resulting from the assignment of
a direct relationship.


However, either choice can be used with either the "ancestor method" or
the "URI method". Which choice is made is a function of the node
collecting algorithm that is used for policy evaluation. i.e. when you
collect the parent nodes of the requested node,


    * choice 1 above means only collect those nodes to which the

      parent has a direct relationship with the requested node,

    * and choice 2 means collect all the nodes of choice 1 plus all

      other nodes where the parent has a hierarchical relationship

      that does not directly involve the requested node.


These are the two primary use cases of the DAG, which were mentioned
above. Which use case is chosen depends only on the node collection
algorithm and not how the nodes are represented. i.e. parents and
ancestors exist whether or not they are incorporated for handy access
within a URI or not.

When the URI can be used, the URI collection within the requested node
itself contains all the nodes that will be collected with method 1 and
there is no need to access any additional information.



  
Again, I am not trying to add or change
any of the existing functionality,
  


You are proposing an addition that is a subset of the more general
approach.

Hopefully, the description above satisfactorily demonstrates that the
URIs are simply a concrete mechanism to implement the general solution.
It is also a mechanism that, if used effectively, appears to be much
more efficient since all nodes that need to be collected in method 1
actually are already contained in the URI collection of the requested
node.

Therefore it is a concrete representation of the general approach,
however it is a concrete representation that capitalizes on the fact
that the object used to represent the node (the URI) has an equivalent
structure to the spatial relationships of the nodes in the DAG that
need to be collected in method 1, and so those nodes do not need to
collected at all since they are already present.

The same structural relationship exists in method 2, however, method 2
fans out so far so fast that collection outside the requested node will
be required to fulfill the needs of method 2.

It is functionally equivalent to the general approach, however, it has
the advantage that a single URI contains the normative identity of all
the required nodes for method 1 and some for method 2.


I understand that you favor a different approach to this problem. It
may be worth our while to create a separate profile for such an
approach, but I do not see any reason to muddy the existing one.


It should be clear from the above discussion that showing how URIs
address the same problem is not a "different approach". It is the same
approach, except the work required to collect the nodes is a lot less,
and can be eliminated almost completely depending on what node
collection strategy is chosen, method 1 or method 2.


Finally, it should be clear that the bulleted algorithms in section 3.2
of the spec represent a nonURI approach using a method 2 collection
algorithm.


Now that the problem is clearly defined, I expect it will take much
fewer words than have been exchanged in these emails to explain the
available options in section 3.2, which are:


   1. method 1 node collection, URI method (all nodes required are in

      requested node)

   2. method 1 node collection, ancestor method: (requested node has

      pointers to parents, but need to recursively navigate to parent

      to advance up the hierarchy, but does not navigate thru nodes of

      which the requested node is not a hierarchy member)

   3. method 2 node collection, URI method (subset of nodes required

      are in requested node, the rest must be obtained by recursively

      navigating based on parent hierarchy nodes of which requested

      node is not a member)

   4. method 2 node collection, ancestor method (this is the algorithm

      currently in section 3.2 bullets and need to recursively

      navigate thru all parent nodes regardless of whether requested

      node is a member of the hierarchy or not.)


These 2 choices of node collection are implicit in the DAG problem
definition and are not currently explained in the document and I
believe need to be. i.e. a DAG is the result of a set of hierarchies
(as defined above) being layed across a set of resources. i.e. it is
the result of a set of explicit relations being applied between pairs
of nodes. The "choice" is whether to retain the "history" of why those
relations were applied (i.e. the direct relations) or not. If you don't
then additional, indirect, extraneous relations automatically appear
and there is no way distinguish between them and the direct relations,
at least in the "general" or "ancestor" case. In the URI case, the
direct and indirect relations are always present and may be used or not
as a matter of choice.


The choice of ancestor or URI method for node identification is simply
whether URI "can" be used and whether URI is "desired" to be used.
Functionally, URI will produce the same results.


Thanks,

Rich



Daniel;

  




---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Rich,

My understanding is that the commenter does not want to use URIs at all. 
Instead he wants to do it like this:

resource-id=r1
resource-ancestor=path
resource-ancestor=to
resource-ancestor=one
resource-ancestor=another

URI matching wouldn't help him.

Regards,
Erik


Rich.Levinson wrote:
> Hi Erik,
>
> With regard to your 2nd point on the comments/users list, it appears 
> to me that because the Hierarchical spec has the problems that I have 
> described in earlier emails, that the user has posed his question in 
> such a way that instead of advising the commenter on what appears to 
> me to be a simple obvious way to solve his problem, you instead have 
> been drawn into considering the user's suggestion that we change the 
> specs from the current explicit description in section 2.2 to one that 
> appears to me would significantly undermine the intent of the current 
> section 2.2.
>
> Now that we have hammered away at the hierarchical profile for several 
> emails, and if people have been reading the details, we can now take 
> another look at the question the commenter raised, which I had 
> previously said we should revisit in the context of my proposal (item 
> 3 here: http://lists.oasis-open.org/archives/xacml/200902/msg00004.html).
>
> The commenter's question is here:
> http://lists.oasis-open.org/archives/xacml-comment/200901/msg00003.html
>
> Your reply to him, where you said you would bring the issue to the TC, 
> is here:
> http://lists.oasis-open.org/archives/xacml/200901/msg00056.html
>
> This example shows exactly why I believe it is NECESSARY to add the 
> clarifying text that I have been talking about to section 3.2.
>
> It appears to me that this user has been clearly misled by the spec to 
> attempt to do what seems to me to be a wasteful and pointless exercise 
> of parsing URIs and then trying to make sense of the collection of 
> artifacts that he has produced. It appears to me that this is totally 
> unnecessary, and I would suggest that it has been a waste of his time 
> for being led down this path by the specifications, which is the point 
> I have repeatedly been making that the specs are insufficient in 
> section 3.2 in this regard .
>
> I am concerned that instead of addressing this type of problem with 
> the capabilities currently in the spec, that we are being drawn down a 
> path, which will effectively dismantle the perfectly good 
> functionality that is in the spec by removing the URI capability as it 
> currently exists.
>
> I think this user should be told that since his nodes are currently 
> identified by URIs that are in the form called for in section 2.2 that 
> he does not need to worry about collecting ancestors etc. and all he 
> needs to do is apply the XACML 2.0 anyURI-regexp-match as described in 
> section A.3.13 of the core spec and his problem is solved.
>
> As described in section 4.3 of the example doc in the archive 
> (http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf), 
> this function is simply specified as:
> 
>
> This is the kind of guidance I am recommending that we add to section 
> 3.2 of the Hierarchical Profile.
>
> As I understand your email, an alternative suggestion to address this 
> user situation is to recommend that the user parse his URIs into 
> components, and that we change the spec to alter the currently defined 
> URI capability (to no longer be a URI capability, with all the 
> inherent capabilities of a URI) in order that the customer be able to 
> do this?
>
> Let me further point out that I don't think there is any need to 
> change the spec, because it already says in section 2 that governs 2.2 
> that:
>
>     "The following sections describe RECOMMENDED representations for
>     nodes in hierarchical resources. Alternative representations of
>     nodes in a given resource are permitted so long as all Policy
>     Administration Points and all Policy Enforcement Points that deal
>     with that resource have contracted to use the alternative
>     representation."
>
> Therefore, if for some reason we advise against using what appears to 
> me to be an obvious standard capability described above with 
> anyURI-regexp-match, and would like users instead to parse their URIs 
> into components so that they can supply the components as a collection 
> of ancestors, I believe we are still able to do this because the 
> statement above appears to explicitly allows for nonURI 
> representations, in which case we would not have to do anything to 
> section 2.2.
>
> However, to be perfectly honest, I still see no advantage to applying 
> the bulleted capability procedure of section 3.2 to nodes that are 
> already identified by URIs.
>
> Comments welcome. I would really like to understand if there is a 
> legitimate reason for not using the URIs as is and replacing them by 
> collections of components.
>
>     Thanks,  
>     Rich
>
>
>
>
>
> Erik Rissanen wrote:
>> All,
>>
>> I've been in a rush today, so I haven't followed every detail in the 
>> discussion, but basically, here is how it appears to me:
>>
>> * The profile, as it stands today, does specify the limited URI 
>> scheme which Rich describes. It says in section 2.2 that:
>>
>> --8<--
>> The 

  
  


Hi Erik,


The commenter states the problem he is trying to solve as:


  
"I have a rule that says "permit if resource has ancestor 'path'"."

It is only after he follows the erroneous directions in section 3.2
that he runs into trouble, whereas if he used the suggestion in my
previous email the problem would already be solved and we would have no
issue.


I have done further research into this and I think that I can now say
unambiguously that section the bulleted algorithms in section 3.2 are
simply wrong, because they are based on an erroneous premise.


The erroneous premise is that it is assumed that a forest is the same
as a DAG. In fact, they are not the same. In particular, a forest is
generally defined as a disjoint set of trees. The important
word in this phrase is "disjoint". There are many reasons why this
problem must be modeled as a disjoint set, several of which have been
covered in previous emails.


The algorithms in section 3.2 are specifically not disjoint, which is
why they are in error. This error is simply corrected by a minor
modification to ensure disjointness.


At this point I would like to raise this to a formal issue, which I
would categorize as a recommendation to correct a SEVERE ERROR in the
Hierarchical Profile Specification.


We have already seen evidence as reported by this commenter that the
errors in this specification are leading users to do wrong and
irrelevant work, and we now have specific formal definitions of the
terms that express exactly what the error is and how it can be
corrected.


    Thanks,

    Rich





Erik Rissanen wrote:
499E7AE1.2010003@axiomatics.com" type="cite">Hi
Rich,


My understanding is that the commenter does not want to use URIs at
all. Instead he wants to do it like this:


resource-id=r1

resource-ancestor=path

resource-ancestor=to

resource-ancestor=one

resource-ancestor=another


URI matching wouldn't help him.


Regards,

Erik



Rich.Levinson wrote:

  
Hi Erik,


With regard to your 2nd point on the comments/users list, it appears to
me that because the Hierarchical spec has the problems that I have
described in earlier emails, that the user has posed his question in
such a way that instead of advising the commenter on what appears to me
to be a simple obvious way to solve his problem, you instead have been
drawn into considering the user's suggestion that we change the specs
from the current explicit description in section 2.2 to one that
appears to me would significantly undermine the intent of the current
section 2.2.


Now that we have hammered away at the hierarchical profile for several
emails, and if people have been reading the details, we can now take
another look at the question the commenter raised, which I had
previously said we should revisit in the context of my proposal (item 3
here: http://lists.oasis-open.org/archives/xacml/200902/msg00004.html).


The commenter's question is here:

http://lists.oasis-open.org/archives/xacml-comment/200901/msg00003.html


Your reply to him, where you said you would bring the issue to the TC,
is here:

http://lists.oasis-open.org/archives/xacml/200901/msg00056.html


This example shows exactly why I believe it is NECESSARY to add the
clarifying text that I have been talking about to section 3.2.


It appears to me that this user has been clearly misled by the spec to
attempt to do what seems to me to be a wasteful and pointless exercise
of parsing URIs and then trying to make sense of the collection of
artifacts that he has produced. It appears to me that this is totally
unnecessary, and I would suggest that it has been a waste of his time
for being led down this path by the specifications, which is the point
I have repeatedly been making that the specs are insufficient in
section 3.2 in this regard .


I am concerned that instead of addressing this type of problem with the
capabilities currently in the spec, that we are being drawn down a
path, which will effectively dismantle the perfectly good functionality
that is in the spec by removing the URI capability as it currently
exists.


I think this user should be told that since his nodes are currently
identified by URIs that are in the form called for in section 2.2 that
he does not need to worry about collecting ancestors etc. and all he
needs to do is apply the XACML 2.0 anyURI-regexp-match as described in
section A.3.13 of the core spec and his problem is solved.


As described in section 4.3 of the example doc in the archive
(http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf),
this function is simply specified as:

<Apply FunctionId="&anyURI-regexp-match;">

  <AttributeValue DataType="&string;"

    >http://example.com/path/*</AttributeValue>

  <Apply FunctionId="&string-one-and-only;">

    <ResourceAttributeDesignator AttributeId="&resource-id;"

        DataType="&string;">

  </Apply>

</Apply>


This is the kind of guidance I am recommending that we add to section
3.2 of the Hierarchical Profile.


As I understand your email, an alternative suggestion to address this
user situation is to recommend that the user parse his URIs into
components, and that we change the spec to alter the currently defined
URI capability (to no longer be a URI capability, with all the inherent
capabilities of a URI) in order that the customer be able to do this?


Let me further point out that I don't think there is any need to change
the spec, because it already says in section 2 that governs 2.2 that:


    "The following sections describe RECOMMENDED representations for

    nodes in hierarchical resources. Alternative representations of

    nodes in a given resource are permitted so long as all Policy

    Administration Points and all Policy Enforcement Points that deal

    with that resource have contracted to use the alternative

    representation."


Therefore, if for some reason we advise against using what appears to
me to be an obvious standard capability described above with
anyURI-regexp-match, and would like users instead to parse their URIs
into components so that they can supply the components as a collection
of ancestors, I believe we are still able to do this because the
statement above appears to explicitly allows for nonURI
representations, in which case we would not have to do anything to
section 2.2.


However, to be perfectly honest, I still see no advantage to applying
the bulleted capability procedure of section 3.2 to nodes that are
already identified by URIs.


Comments welcome. I would really like to understand if there is a
legitimate reason for not using the URIs as is and replacing them by
collections of components.


    Thanks,      Rich






Erik Rissanen wrote:
All,


I've been in a rush today, so I haven't followed every detail in the
discussion, but basically, here is how it appears to me:


* The profile, as it stands today, does specify the limited URI scheme
which Rich describes. It says in section 2.2 that:


--8<--

The <pathname> portion of the URI SHALL be of the form


<root name> [ “/” <node name> ]*


The sequence of <root name> and <node name> values SHALL
correspond to the individual hierarchical component names of ancestors
of the represented node along the path from a <root> node to the
represented node.

--8<--


So it in fact says that the identifiers must consists of paths with the
names of the ancestors.


* If I understand Daniel correctly, he says that each node should be
allowed to have a name which is entirely independent of the other nodes
in the hierarchy. Relations between the nodes are maintained in a
manner not specified by XACML and are expressed in XACML Requests and
policies in the form of the attributes resource-parent,
resource-ancestor, etc. I think that the more general approach
advocated by Daniel would be the correct way to go, so I agree with him
(and Seth I believe. :-))


* I also think as suggested on the XACML comments/users list that the
data type of the node identifier should not be limited to URIs only.


But I would prefer to leave major changes to the hierarchical profile
out of the first batch of CD documents.


Best regards,

Erik



Rich.Levinson wrote:
  
Hi Daniel and TC,


Hopefully, those who have followed the details of these emails
recognize that each step in the sequence has advanced the discussion in
a consistent manner and as a result we have done a fairly thorough job
of mapping out the problem space that is under discussion. In any event
I believe my comments in this email continue to advance the discussion
in a worthwhile manner, and I think will describe the complete problem
space as well as give a clear description of the options available, all
of which offer full functionality.


In the current phase, if I am not mistaken, it is a straight-forward
matter to apply definitions to the distinct categories of problems and
simply observe that we have two sets of tools which are equally
effective at solving each category of problem, where


    * one set of tools (let's call it the "ancestor method") is most

      effective when one is dealing with resources where it is not

      possible or desirable to apply URIs as normative identifiers

    * a second set of tools (let's call it the "URI method") which is

      available when one is dealing with resources where URIs can be

      applied as normative identifiers, and the designers want to take

      advantage of the powerful features inherent in URI objects, esp

      when applied to hierarchical problems.


Let me address Daniel's points below, then try to summarize the present
state of the discussion:


Daniel Engovatov wrote:
    


On Feb 18, 2009, at 3:05 PM, Rich.Levinson wrote:

      
Daniel, Seth, Erik, and TC,


If we stick to the generally accepted definition that an object in a
hierarchy can have at most one parent, then a URI solves the problem
without having to look beyond the URI itself
      


It is NOT a generally accepted definition and we did not stick to it on
purpose.

    
Whether it is generally accepted or not is probably not important here,
however, it is consistent with the structure of XML documents, such
that when we are talking about a "single hierarchy" of nonXML resources
that if we assert that this implies a structural relationship
equivalent to the structural relationship of the nodes of a well-formed
XML document, which is that each element can have at most one parent,
and the top element or node has zero parents.


This gives us a crisp unambiguous definition of the term "hierarchy"
which can be applied both to the XML and nonXML resources, and it
totally avoids trying to determine whether it is an "accepted"
definition or not, since that property is no longer relevant.


The point of this definition is to give us a conceptual framework
within which to evaluate the two primary use cases of the DAG, which as
will be explained are also clear and unambiguous well-defined use
cases.
    

      
However, if we allow the hierarchies
to break down and lose their inherent hierarchical properties, then
more complicated approaches, such as going outside the initial request
context to get more nodes, although still solvable w URIs as demo'd
below, are needed.

      


It is NOT "broken down"
    
True, in an absolute sense nothing is "broken", however, what has
happened is that we have allowed one class of DAG representation to be
impacted in such a way that we have allowed it to become the second
class of DAG representation because we did not clearly define the
distinction and what was to be allowed and not allowed. This has
nothing to with whether the ancestor or URI method is used. It has only
to do with the relationships that are allowed to be represented when
two resources are "connected" by virtue of their hierarchical
relationship being established.


Specifically, one has a choice of:


   1. only allowing the relationship that is being established to be

      active. For example if my boss is assigned to be subordinate to

      a task force leader when a cross functional team is being set

      up, this case would say that has no impact on my relationship

      with the task force leader unless I am a member of the task

      force. i.e. the task force leader has control over my boss's

      resources to whatever degree is implied by the task force

      situation, however the task force leader has zero direct control

      over my resources as a result of this assignment. In this model,

      that direct control could be simply be established by either

      assigning me directly to the task force leader, or assigning me

      a second subordinate relationship to my boss in the context of

      the task force relationship.

      This is a clearly defined process, where there is no ambiguity

      about relationships between the resources. If you want the

      relationship, you explicitly establish it, if not, you don't.


   2. the other choice is the exact opposite, namely allowing

      incidental relationships to be established simply because they

      connect to a node with direct relationships. To take an extreme

      light-spirited example, for the purpose of showing how

      "extraneous" relations are introduced, if the company CEO was a

      member of a company bowling team, where the captain of the

      bowling team happened to be a junior software engineer who just

      joined the company, then everyone in the company would suddenly

      have this junior engineer as their ancestor. Possibly this would

      be disallowed by acyclic graph rules, but a similar situation

      would occur if the VP of engineering was on a bowling team

      captained by the junior sales trainee, who would now be ancestor

      to everyone in engineering organization.


Both methods are acceptable for assigning relationships, but one or the
other may be more effective for one or another type of organization.
Personally, I think most enterprise security departments would favor
the first approach, because it appears to offer more direct control and
less chance of unintended consequences resulting from the assignment of
a direct relationship.


However, either choice can be used with either the "ancestor method" or
the "URI method". Which choice is made is a function of the node
collecting algorithm that is used for policy evaluation. i.e. when you
collect the parent nodes of the requested node,


    * choice 1 above means only collect those nodes to which the

      parent has a direct relationship with the requested node,

    * and choice 2 means collect all the nodes of choice 1 plus all

      other nodes where the parent has a hierarchical relationship

      that does not directly involve the requested node.


These are the two primary use cases of the DAG, which were mentioned
above. Which use case is chosen depends only on the node collection
algorithm and not how the nodes are represented. i.e. parents and
ancestors exist whether or not they are incorporated for handy access
within a URI or not.

When the URI can be used, the URI collection within the requested node
itself contains all the nodes that will be collected with method 1 and
there is no need to access any additional information.

    


      
Again, I am not trying to add or
change any of the existing functionality,
      


You are proposing an addition that is a subset of the more general
approach.
    
Hopefully, the description above satisfactorily demonstrates that the
URIs are simply a concrete mechanism to implement the general solution.
It is also a mechanism that, if used effectively, appears to be much
more efficient since all nodes that need to be collected in method 1
actually are already contained in the URI collection of the requested
node.

Therefore it is a concrete representation of the general approach,
however it is a concrete representation that capitalizes on the fact
that the object used to represent the node (the URI) has an equivalent
structure to the spatial relationships of the nodes in the DAG that
need to be collected in method 1, and so those nodes do not need to
collected at all since they are already present.

The same structural relationship exists in method 2, however, method 2
fans out so far so fast that collection outside the requested node will
be required to fulfill the needs of method 2.

It is functionally equivalent to the general approach, however, it has
the advantage that a single URI contains the normative identity of all
the required nodes for method 1 and some for method 2.
    


I understand that you favor a different approach to this problem. It
may be worth our while to create a separate profile for such an
approach, but I do not see any reason to muddy the existing one.

    
It should be clear from the above discussion that showing how URIs
address the same problem is not a "different approach". It is the same
approach, except the work required to collect the nodes is a lot less,
and can be eliminated almost completely depending on what node
collection strategy is chosen, method 1 or method 2.


Finally, it should be clear that the bulleted algorithms in section 3.2
of the spec represent a nonURI approach using a method 2 collection
algorithm.


Now that the problem is clearly defined, I expect it will take much
fewer words than have been exchanged in these emails to explain the
available options in section 3.2, which are:


   1. method 1 node collection, URI method (all nodes required are in

      requested node)

   2. method 1 node collection, ancestor method: (requested node has

      pointers to parents, but need to recursively navigate to parent

      to advance up the hierarchy, but does not navigate thru nodes of

      which the requested node is not a hierarchy member)

   3. method 2 node collection, URI method (subset of nodes required

      are in requested node, the rest must be obtained by recursively

      navigating based on parent hierarchy nodes of which requested

      node is not a member)

   4. method 2 node collection, ancestor method (this is the algorithm

      currently in section 3.2 bullets and need to recursively

      navigate thru all parent nodes regardless of whether requested

      node is a member of the hierarchy or not.)


These 2 choices of node collection are implicit in the DAG problem
definition and are not currently explained in the document and I
believe need to be. i.e. a DAG is the result of a set of hierarchies
(as defined above) being layed across a set of resources. i.e. it is
the result of a set of explicit relations being applied between pairs
of nodes. The "choice" is whether to retain the "history" of why those
relations were applied (i.e. the direct relations) or not. If you don't
then additional, indirect, extraneous relations automatically appear
and there is no way distinguish between them and the direct relations,
at least in the "general" or "ancestor" case. In the URI case, the
direct and indirect relations are always present and may be used or not
as a matter of choice.


The choice of ancestor or URI method for node identification is simply
whether URI "can" be used and whether URI is "desired" to be used.
Functionally, URI will produce the same results.


Thanks,

Rich

    


Daniel;
    
      




---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

  

Hi Rich,

I don't think I understand what you mean.

The commenter's resources are not disjoint. They are a DAG. Therefore he 
wants to use the "ancestor scheme" without URIs.

Regards,
Erik

Rich.Levinson wrote:
> Hi Erik,
>
> The commenter states the problem he is trying to solve as:
>
>     * "I have a rule that says "permit if resource has ancestor 'path'"."
>
> It is only after he follows the erroneous directions in section 3.2 
> that he runs into trouble, whereas if he used the suggestion in my 
> previous email the problem would already be solved and we would have 
> no issue.
>
> I have done further research into this and I think that I can now say 
> unambiguously that section the bulleted algorithms in section 3.2 are 
> simply wrong, because they are based on an erroneous premise.
>
> The erroneous premise is that it is assumed that a forest is the same 
> as a DAG. In fact, they are not the same. In particular, a forest is 
> generally defined as a *disjoint set of trees*. The important word in 
> this phrase is "disjoint". There are many reasons why this problem 
> must be modeled as a disjoint set, several of which have been covered 
> in previous emails.
>
> The algorithms in section 3.2 are specifically not disjoint, which is 
> why they are in error. This error is simply corrected by a minor 
> modification to ensure disjointness.
>
> At this point I would like to raise this to a formal issue, which I 
> would categorize as a recommendation to correct a SEVERE ERROR in the 
> Hierarchical Profile Specification.
>
> We have already seen evidence as reported by this commenter that the 
> errors in this specification are leading users to do wrong and 
> irrelevant work, and we now have specific formal definitions of the 
> terms that express exactly what the error is and how it can be corrected.
>
>     Thanks,
>     Rich
>
>
>
>
> Erik Rissanen wrote:
>> Hi Rich,
>>
>> My understanding is that the commenter does not want to use URIs at 
>> all. Instead he wants to do it like this:
>>
>> resource-id=r1
>> resource-ancestor=path
>> resource-ancestor=to
>> resource-ancestor=one
>> resource-ancestor=another
>>
>> URI matching wouldn't help him.
>>
>> Regards,
>> Erik
>>
>>
>> Rich.Levinson wrote:
>>> Hi Erik,
>>>
>>> With regard to your 2nd point on the comments/users list, it appears 
>>> to me that because the Hierarchical spec has the problems that I 
>>> have described in earlier emails, that the user has posed his 
>>> question in such a way that instead of advising the commenter on 
>>> what appears to me to be a simple obvious way to solve his problem, 
>>> you instead have been drawn into considering the user's suggestion 
>>> that we change the specs from the current explicit description in 
>>> section 2.2 to one that appears to me would significantly undermine 
>>> the intent of the current section 2.2.
>>>
>>> Now that we have hammered away at the hierarchical profile for 
>>> several emails, and if people have been reading the details, we can 
>>> now take another look at the question the commenter raised, which I 
>>> had previously said we should revisit in the context of my proposal 
>>> (item 3 here: 
>>> http://lists.oasis-open.org/archives/xacml/200902/msg00004.html).
>>>
>>> The commenter's question is here:
>>> http://lists.oasis-open.org/archives/xacml-comment/200901/msg00003.html
>>>
>>> Your reply to him, where you said you would bring the issue to the 
>>> TC, is here:
>>> http://lists.oasis-open.org/archives/xacml/200901/msg00056.html
>>>
>>> This example shows exactly why I believe it is NECESSARY to add the 
>>> clarifying text that I have been talking about to section 3.2.
>>>
>>> It appears to me that this user has been clearly misled by the spec 
>>> to attempt to do what seems to me to be a wasteful and pointless 
>>> exercise of parsing URIs and then trying to make sense of the 
>>> collection of artifacts that he has produced. It appears to me that 
>>> this is totally unnecessary, and I would suggest that it has been a 
>>> waste of his time for being led down this path by the 
>>> specifications, which is the point I have repeatedly been making 
>>> that the specs are insufficient in section 3.2 in this regard .
>>>
>>> I am concerned that instead of addressing this type of problem with 
>>> the capabilities currently in the spec, that we are being drawn down 
>>> a path, which will effectively dismantle the perfectly good 
>>> functionality that is in the spec by removing the URI capability as 
>>> it currently exists.
>>>
>>> I think this user should be told that since his nodes are currently 
>>> identified by URIs that are in the form called for in section 2.2 
>>> that he does not need to worry about collecting ancestors etc. and 
>>> all he needs to do is apply the XACML 2.0 anyURI-regexp-match as 
>>> described in section A.3.13 of the core spec and his problem is solved.
>>>
>>> As described in section 4.3 of the example doc in the archive 
>>> (http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf), 
>>> this function is simply specified as:
>>> 
>>>
>>> This is the kind of guidance I am recommending that we add to 
>>> section 3.2 of the Hierarchical Profile.
>>>
>>> As I understand your email, an alternative suggestion to address 
>>> this user situation is to recommend that the user parse his URIs 
>>> into components, and that we change the spec to alter the currently 
>>> defined URI capability (to no longer be a URI capability, with all 
>>> the inherent capabilities of a URI) in order that the customer be 
>>> able to do this?
>>>
>>> Let me further point out that I don't think there is any need to 
>>> change the spec, because it already says in section 2 that governs 
>>> 2.2 that:
>>>
>>>     "The following sections describe RECOMMENDED representations for
>>>     nodes in hierarchical resources. Alternative representations of
>>>     nodes in a given resource are permitted so long as all Policy
>>>     Administration Points and all Policy Enforcement Points that deal
>>>     with that resource have contracted to use the alternative
>>>     representation."
>>>
>>> Therefore, if for some reason we advise against using what appears 
>>> to me to be an obvious standard capability described above with 
>>> anyURI-regexp-match, and would like users instead to parse their 
>>> URIs into components so that they can supply the components as a 
>>> collection of ancestors, I believe we are still able to do this 
>>> because the statement above appears to explicitly allows for nonURI 
>>> representations, in which case we would not have to do anything to 
>>> section 2.2.
>>>
>>> However, to be perfectly honest, I still see no advantage to 
>>> applying the bulleted capability procedure of section 3.2 to nodes 
>>> that are already identified by URIs.
>>>
>>> Comments welcome. I would really like to understand if there is a 
>>> legitimate reason for not using the URIs as is and replacing them by 
>>> collections of components.
>>>
>>>     Thanks,      Rich
>>>
>>>
>>>
>>>
>>>
>>> Erik Rissanen wrote:
>>>> All,
>>>>
>>>> I've been in a rush today, so I haven't followed every detail in 
>>>> the discussion, but basically, here is how it appears to me:
>>>>
>>>> * The profile, as it stands today, does specify the limited URI 
>>>> scheme which Rich describes. It says in section 2.2 that:
>>>>
>>>> --8<--
>>>> The 

  


Hi Erik,


The problem presented by the commenter is analagous to:


    State/City01/MainStreet

    State/City02/MainStreet


Just because two separate cities have a street named MainStreet does
not mean these are the same street. These are two distinct normative
identifiers for two distinct resources.


A forest is a DAG, but a DAG is not necessarily a forest. When you
start using DAGs that are not forests or hierarchies, because the
member trees are not disjoint, then you are no longer talking about a
hierarchical profile.


Possibly we can consider splitting the Hierarchical Profile into two
profiles:


  
One called the Hierarchical Resource Profile, which deals with
hierarchies and forests
  
One called the DAG Resource Profile, which deals with more
general structures that are not necessarily hierarchies or forests, but
may incidentally be in special cases.

However, the current situation, where the profile named "Hierarchical"
deals with structures that are explicitly non-hierarchical, and
actually anti-hierarchical, in that they destroy the hierarchical
properties is not an acceptable state of affairs.


Labeling the profile "Hierarchical" and then representing it with
anti-hierarchical algorithms is a misrepresentation of its content and
a Severe Error, because it leads people to expect one thing and then
delivers something which is exactly NOT what it is labeled to be, and
has potential extreme severe unintended consequences when used as such.


My recommendation is to correct the content so that the specification
is no longer mislabeled, which is done by simple modifications to the
algorithms in section 3.2, which simply changes the node collection
algorithm to only collect the one and only parent node of the
requested node for each normative identity of the requested node
and then recursively for ancestors. (i.e. a node can have multiple
parents but they must be in disjoint trees)


    Thanks,

    Rich



Erik Rissanen wrote:
499E8674.6070709@axiomatics.com" type="cite">Hi
Rich,


I don't think I understand what you mean.


The commenter's resources are not disjoint. They are a DAG. Therefore
he wants to use the "ancestor scheme" without URIs.


Regards,

Erik


Rich.Levinson wrote:

  
Hi Erik,


The commenter states the problem he is trying to solve as:


    * "I have a rule that says "permit if resource has ancestor
'path'"."


It is only after he follows the erroneous directions in section 3.2
that he runs into trouble, whereas if he used the suggestion in my
previous email the problem would already be solved and we would have no
issue.


I have done further research into this and I think that I can now say
unambiguously that section the bulleted algorithms in section 3.2 are
simply wrong, because they are based on an erroneous premise.


The erroneous premise is that it is assumed that a forest is the same
as a DAG. In fact, they are not the same. In particular, a forest is
generally defined as a *disjoint set of trees*. The important word in
this phrase is "disjoint". There are many reasons why this problem must
be modeled as a disjoint set, several of which have been covered in
previous emails.


The algorithms in section 3.2 are specifically not disjoint, which is
why they are in error. This error is simply corrected by a minor
modification to ensure disjointness.


At this point I would like to raise this to a formal issue, which I
would categorize as a recommendation to correct a SEVERE ERROR in the
Hierarchical Profile Specification.


We have already seen evidence as reported by this commenter that the
errors in this specification are leading users to do wrong and
irrelevant work, and we now have specific formal definitions of the
terms that express exactly what the error is and how it can be
corrected.


    Thanks,

    Rich





Erik Rissanen wrote:
Hi Rich,


My understanding is that the commenter does not want to use URIs at
all. Instead he wants to do it like this:


resource-id=r1

resource-ancestor=path

resource-ancestor=to

resource-ancestor=one

resource-ancestor=another


URI matching wouldn't help him.


Regards,

Erik



Rich.Levinson wrote:
  
Hi Erik,


With regard to your 2nd point on the comments/users list, it appears to
me that because the Hierarchical spec has the problems that I have
described in earlier emails, that the user has posed his question in
such a way that instead of advising the commenter on what appears to me
to be a simple obvious way to solve his problem, you instead have been
drawn into considering the user's suggestion that we change the specs
from the current explicit description in section 2.2 to one that
appears to me would significantly undermine the intent of the current
section 2.2.


Now that we have hammered away at the hierarchical profile for several
emails, and if people have been reading the details, we can now take
another look at the question the commenter raised, which I had
previously said we should revisit in the context of my proposal (item 3
here: http://lists.oasis-open.org/archives/xacml/200902/msg00004.html).


The commenter's question is here:

http://lists.oasis-open.org/archives/xacml-comment/200901/msg00003.html


Your reply to him, where you said you would bring the issue to the TC,
is here:

http://lists.oasis-open.org/archives/xacml/200901/msg00056.html


This example shows exactly why I believe it is NECESSARY to add the
clarifying text that I have been talking about to section 3.2.


It appears to me that this user has been clearly misled by the spec to
attempt to do what seems to me to be a wasteful and pointless exercise
of parsing URIs and then trying to make sense of the collection of
artifacts that he has produced. It appears to me that this is totally
unnecessary, and I would suggest that it has been a waste of his time
for being led down this path by the specifications, which is the point
I have repeatedly been making that the specs are insufficient in
section 3.2 in this regard .


I am concerned that instead of addressing this type of problem with the
capabilities currently in the spec, that we are being drawn down a
path, which will effectively dismantle the perfectly good functionality
that is in the spec by removing the URI capability as it currently
exists.


I think this user should be told that since his nodes are currently
identified by URIs that are in the form called for in section 2.2 that
he does not need to worry about collecting ancestors etc. and all he
needs to do is apply the XACML 2.0 anyURI-regexp-match as described in
section A.3.13 of the core spec and his problem is solved.


As described in section 4.3 of the example doc in the archive
(http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf),
this function is simply specified as:

<Apply FunctionId="&anyURI-regexp-match;">

  <AttributeValue DataType="&string;"

    >http://example.com/path/*</AttributeValue>

  <Apply FunctionId="&string-one-and-only;">

    <ResourceAttributeDesignator AttributeId="&resource-id;"

        DataType="&string;">

  </Apply>

</Apply>


This is the kind of guidance I am recommending that we add to section
3.2 of the Hierarchical Profile.


As I understand your email, an alternative suggestion to address this
user situation is to recommend that the user parse his URIs into
components, and that we change the spec to alter the currently defined
URI capability (to no longer be a URI capability, with all the inherent
capabilities of a URI) in order that the customer be able to do this?


Let me further point out that I don't think there is any need to change
the spec, because it already says in section 2 that governs 2.2 that:


    "The following sections describe RECOMMENDED representations for

    nodes in hierarchical resources. Alternative representations of

    nodes in a given resource are permitted so long as all Policy

    Administration Points and all Policy Enforcement Points that deal

    with that resource have contracted to use the alternative

    representation."


Therefore, if for some reason we advise against using what appears to
me to be an obvious standard capability described above with
anyURI-regexp-match, and would like users instead to parse their URIs
into components so that they can supply the components as a collection
of ancestors, I believe we are still able to do this because the
statement above appears to explicitly allows for nonURI
representations, in which case we would not have to do anything to
section 2.2.


However, to be perfectly honest, I still see no advantage to applying
the bulleted capability procedure of section 3.2 to nodes that are
already identified by URIs.


Comments welcome. I would really like to understand if there is a
legitimate reason for not using the URIs as is and replacing them by
collections of components.


    Thanks,      Rich






Erik Rissanen wrote:
    
All,


I've been in a rush today, so I haven't followed every detail in the
discussion, but basically, here is how it appears to me:


* The profile, as it stands today, does specify the limited URI scheme
which Rich describes. It says in section 2.2 that:


--8<--

The <pathname> portion of the URI SHALL be of the form


<root name> [ “/” <node name> ]*


The sequence of <root name> and <node name> values SHALL
correspond to the individual hierarchical component names of ancestors
of the represented node along the path from a <root> node to the
represented node.

--8<--


So it in fact says that the identifiers must consists of paths with the
names of the ancestors.


* If I understand Daniel correctly, he says that each node should be
allowed to have a name which is entirely independent of the other nodes
in the hierarchy. Relations between the nodes are maintained in a
manner not specified by XACML and are expressed in XACML Requests and
policies in the form of the attributes resource-parent,
resource-ancestor, etc. I think that the more general approach
advocated by Daniel would be the correct way to go, so I agree with him
(and Seth I believe. :-))


* I also think as suggested on the XACML comments/users list that the
data type of the node identifier should not be limited to URIs only.


But I would prefer to leave major changes to the hierarchical profile
out of the first batch of CD documents.


Best regards,

Erik



Rich.Levinson wrote:
      
Hi Daniel and TC,


Hopefully, those who have followed the details of these emails
recognize that each step in the sequence has advanced the discussion in
a consistent manner and as a result we have done a fairly thorough job
of mapping out the problem space that is under discussion. In any event
I believe my comments in this email continue to advance the discussion
in a worthwhile manner, and I think will describe the complete problem
space as well as give a clear description of the options available, all
of which offer full functionality.


In the current phase, if I am not mistaken, it is a straight-forward
matter to apply definitions to the distinct categories of problems and
simply observe that we have two sets of tools which are equally
effective at solving each category of problem, where


    * one set of tools (let's call it the "ancestor method") is most

      effective when one is dealing with resources where it is not

      possible or desirable to apply URIs as normative identifiers

    * a second set of tools (let's call it the "URI method") which is

      available when one is dealing with resources where URIs can be

      applied as normative identifiers, and the designers want to take

      advantage of the powerful features inherent in URI objects, esp

      when applied to hierarchical problems.


Let me address Daniel's points below, then try to summarize the present
state of the discussion:


Daniel Engovatov wrote:
        


On Feb 18, 2009, at 3:05 PM, Rich.Levinson wrote:

          
Daniel, Seth, Erik, and TC,


If we stick to the generally accepted definition that an object in a
hierarchy can have at most one parent, then a URI solves the problem
without having to look beyond the URI itself
          


It is NOT a generally accepted definition and we did not stick to it on
purpose.

        
Whether it is generally accepted or not is probably not important here,
however, it is consistent with the structure of XML documents, such
that when we are talking about a "single hierarchy" of nonXML resources
that if we assert that this implies a structural relationship
equivalent to the structural relationship of the nodes of a well-formed
XML document, which is that each element can have at most one parent,
and the top element or node has zero parents.


This gives us a crisp unambiguous definition of the term "hierarchy"
which can be applied both to the XML and nonXML resources, and it
totally avoids trying to determine whether it is an "accepted"
definition or not, since that property is no longer relevant.


The point of this definition is to give us a conceptual framework
within which to evaluate the two primary use cases of the DAG, which as
will be explained are also clear and unambiguous well-defined use
cases.
        

          
However, if we allow the
hierarchies to break down and lose their inherent hierarchical
properties, then more complicated approaches, such as going outside the
initial request context to get more nodes, although still solvable w
URIs as demo'd below, are needed.

          


It is NOT "broken down"
        
True, in an absolute sense nothing is "broken", however, what has
happened is that we have allowed one class of DAG representation to be
impacted in such a way that we have allowed it to become the second
class of DAG representation because we did not clearly define the
distinction and what was to be allowed and not allowed. This has
nothing to with whether the ancestor or URI method is used. It has only
to do with the relationships that are allowed to be represented when
two resources are "connected" by virtue of their hierarchical
relationship being established.


Specifically, one has a choice of:


   1. only allowing the relationship that is being established to be

      active. For example if my boss is assigned to be subordinate to

      a task force leader when a cross functional team is being set

      up, this case would say that has no impact on my relationship

      with the task force leader unless I am a member of the task

      force. i.e. the task force leader has control over my boss's

      resources to whatever degree is implied by the task force

      situation, however the task force leader has zero direct control

      over my resources as a result of this assignment. In this model,

      that direct control could be simply be established by either

      assigning me directly to the task force leader, or assigning me

      a second subordinate relationship to my boss in the context of

      the task force relationship.

      This is a clearly defined process, where there is no ambiguity

      about relationships between the resources. If you want the

      relationship, you explicitly establish it, if not, you don't.


   2. the other choice is the exact opposite, namely allowing

      incidental relationships to be established simply because they

      connect to a node with direct relationships. To take an extreme

      light-spirited example, for the purpose of showing how

      "extraneous" relations are introduced, if the company CEO was a

      member of a company bowling team, where the captain of the

      bowling team happened to be a junior software engineer who just

      joined the company, then everyone in the company would suddenly

      have this junior engineer as their ancestor. Possibly this would

      be disallowed by acyclic graph rules, but a similar situation

      would occur if the VP of engineering was on a bowling team

      captained by the junior sales trainee, who would now be ancestor

      to everyone in engineering organization.


Both methods are acceptable for assigning relationships, but one or the
other may be more effective for one or another type of organization.
Personally, I think most enterprise security departments would favor
the first approach, because it appears to offer more direct control and
less chance of unintended consequences resulting from the assignment of
a direct relationship.


However, either choice can be used with either the "ancestor method" or
the "URI method". Which choice is made is a function of the node
collecting algorithm that is used for policy evaluation. i.e. when you
collect the parent nodes of the requested node,


    * choice 1 above means only collect those nodes to which the

      parent has a direct relationship with the requested node,

    * and choice 2 means collect all the nodes of choice 1 plus all

      other nodes where the parent has a hierarchical relationship

      that does not directly involve the requested node.


These are the two primary use cases of the DAG, which were mentioned
above. Which use case is chosen depends only on the node collection
algorithm and not how the nodes are represented. i.e. parents and
ancestors exist whether or not they are incorporated for handy access
within a URI or not.

When the URI can be used, the URI collection within the requested node
itself contains all the nodes that will be collected with method 1 and
there is no need to access any additional information.

        


          
Again, I am not trying to add or
change any of the existing functionality,
          


You are proposing an addition that is a subset of the more general
approach.
        
Hopefully, the description above satisfactorily demonstrates that the
URIs are simply a concrete mechanism to implement the general solution.
It is also a mechanism that, if used effectively, appears to be much
more efficient since all nodes that need to be collected in method 1
actually are already contained in the URI collection of the requested
node.

Therefore it is a concrete representation of the general approach,
however it is a concrete representation that capitalizes on the fact
that the object used to represent the node (the URI) has an equivalent
structure to the spatial relationships of the nodes in the DAG that
need to be collected in method 1, and so those nodes do not need to
collected at all since they are already present.

The same structural relationship exists in method 2, however, method 2
fans out so far so fast that collection outside the requested node will
be required to fulfill the needs of method 2.

It is functionally equivalent to the general approach, however, it has
the advantage that a single URI contains the normative identity of all
the required nodes for method 1 and some for method 2.
        


I understand that you favor a different approach to this problem. It
may be worth our while to create a separate profile for such an
approach, but I do not see any reason to muddy the existing one.

        
It should be clear from the above discussion that showing how URIs
address the same problem is not a "different approach". It is the same
approach, except the work required to collect the nodes is a lot less,
and can be eliminated almost completely depending on what node
collection strategy is chosen, method 1 or method 2.


Finally, it should be clear that the bulleted algorithms in section 3.2
of the spec represent a nonURI approach using a method 2 collection
algorithm.


Now that the problem is clearly defined, I expect it will take much
fewer words than have been exchanged in these emails to explain the
available options in section 3.2, which are:


   1. method 1 node collection, URI method (all nodes required are in

      requested node)

   2. method 1 node collection, ancestor method: (requested node has

      pointers to parents, but need to recursively navigate to parent

      to advance up the hierarchy, but does not navigate thru nodes of

      which the requested node is not a hierarchy member)

   3. method 2 node collection, URI method (subset of nodes required

      are in requested node, the rest must be obtained by recursively

      navigating based on parent hierarchy nodes of which requested

      node is not a member)

   4. method 2 node collection, ancestor method (this is the algorithm

      currently in section 3.2 bullets and need to recursively

      navigate thru all parent nodes regardless of whether requested

      node is a member of the hierarchy or not.)


These 2 choices of node collection are implicit in the DAG problem
definition and are not currently explained in the document and I
believe need to be. i.e. a DAG is the result of a set of hierarchies
(as defined above) being layed across a set of resources. i.e. it is
the result of a set of explicit relations being applied between pairs
of nodes. The "choice" is whether to retain the "history" of why those
relations were applied (i.e. the direct relations) or not. If you don't
then additional, indirect, extraneous relations automatically appear
and there is no way distinguish between them and the direct relations,
at least in the "general" or "ancestor" case. In the URI case, the
direct and indirect relations are always present and may be used or not
as a matter of choice.


The choice of ancestor or URI method for node identification is simply
whether URI "can" be used and whether URI is "desired" to be used.
Functionally, URI will produce the same results.


Thanks,

Rich

        


Daniel;
        
          




---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
    
      



  



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Erik,

To complete the picture, there is the case where there are multiple 
logical paths to the same physical resource. For example:

    State/City01/PostOffice01/MainStreet
    State/City01/PostOffice02/MainStreet

In this case these are two normative identities for the same physical 
resource, however from a logical protection perspective they are treated 
as distinct logical resources, such as only allowing one type of mail 
thru PostOffice01, and a second type of mail thru PostOffice02. However, 
simply specifying the name "MainStreet" is obviously insufficient to 
distinguish between the two logical resources.
As an analogy, one may think of a person having two inboxes on their 
desk, one labeled PostOffice01, the other PostOffice02. Your mail gets 
to the same person at the same desk, but is placed in different 
containers at the desk.
The point is that there is no necessity in either case to break the 
hierarchical naming structure. However, using the algorithms in section 
3.2 will break the structure from an inheritance perspective, because it 
allows unintended inheritance to automatically occur. Along with the 
current algorithms in section 3.2 comes all the baggage of the multiple 
inheritance problem, which can easily be avoided, by simply using the 
URI naming structure already prescribed in section 2.2.

    Thanks,
    Rich


Rich.Levinson wrote:
> Hi Erik,
>
> The problem presented by the commenter is analagous to:
>
>    State/City01/MainStreet
>    State/City02/MainStreet
>
> Just because two separate cities have a street named MainStreet does 
> not mean these are the same street. These are two distinct normative 
> identifiers for two distinct resources.
>
> A forest is a DAG, but a DAG is not necessarily a forest. When you 
> start using DAGs that are not forests or hierarchies, because the 
> member trees are not disjoint, then you are no longer talking about a 
> hierarchical profile.
>
> Possibly we can consider splitting the Hierarchical Profile into two 
> profiles:
>
>    * One called the Hierarchical Resource Profile, which deals with
>      hierarchies and forests
>    * One called the DAG Resource Profile, which deals with more general
>      structures that are not necessarily hierarchies or forests, but
>      may incidentally be in special cases.
>
> However, the current situation, where the profile named "Hierarchical" 
> deals with structures that are explicitly non-hierarchical, and 
> actually anti-hierarchical, in that they destroy the hierarchical 
> properties is not an acceptable state of affairs.
>
> Labeling the profile "Hierarchical" and then representing it with 
> anti-hierarchical algorithms is a misrepresentation of its content and 
> a Severe Error, because it leads people to expect one thing and then 
> delivers something which is exactly NOT what it is labeled to be, and 
> has potential extreme severe unintended consequences when used as such.
>
> My recommendation is to correct the content so that the specification 
> is no longer mislabeled, which is done by simple modifications to the 
> algorithms in section 3.2, which simply changes the node collection 
> algorithm to only collect *the one and only parent node of the 
> requested node for each normative identity of the requested node* and 
> then recursively for ancestors. (i.e. a node can have multiple parents 
> but they must be in disjoint trees)
>
>    Thanks,
>    Rich
>
>
> Erik Rissanen wrote:
>> Hi Rich,
>>
>> I don't think I understand what you mean.
>>
>> The commenter's resources are not disjoint. They are a DAG. Therefore 
>> he wants to use the "ancestor scheme" without URIs.
>>
>> Regards,
>> Erik
>>
>> Rich.Levinson wrote:
>>> Hi Erik,
>>>
>>> The commenter states the problem he is trying to solve as:
>>>
>>>     * "I have a rule that says "permit if resource has ancestor 
>>> 'path'"."
>>>
>>> It is only after he follows the erroneous directions in section 3.2 
>>> that he runs into trouble, whereas if he used the suggestion in my 
>>> previous email the problem would already be solved and we would have 
>>> no issue.
>>>
>>> I have done further research into this and I think that I can now 
>>> say unambiguously that section the bulleted algorithms in section 
>>> 3.2 are simply wrong, because they are based on an erroneous premise.
>>>
>>> The erroneous premise is that it is assumed that a forest is the 
>>> same as a DAG. In fact, they are not the same. In particular, a 
>>> forest is generally defined as a *disjoint set of trees*. The 
>>> important word in this phrase is "disjoint". There are many reasons 
>>> why this problem must be modeled as a disjoint set, several of which 
>>> have been covered in previous emails.
>>>
>>> The algorithms in section 3.2 are specifically not disjoint, which 
>>> is why they are in error. This error is simply corrected by a minor 
>>> modification to ensure disjointness.
>>>
>>> At this point I would like to raise this to a formal issue, which I 
>>> would categorize as a recommendation to correct a SEVERE ERROR in 
>>> the Hierarchical Profile Specification.
>>>
>>> We have already seen evidence as reported by this commenter that the 
>>> errors in this specification are leading users to do wrong and 
>>> irrelevant work, and we now have specific formal definitions of the 
>>> terms that express exactly what the error is and how it can be 
>>> corrected.
>>>
>>>     Thanks,
>>>     Rich
>>>
>>>
>>>
>>>
>>> Erik Rissanen wrote:
>>>> Hi Rich,
>>>>
>>>> My understanding is that the commenter does not want to use URIs at 
>>>> all. Instead he wants to do it like this:
>>>>
>>>> resource-id=r1
>>>> resource-ancestor=path
>>>> resource-ancestor=to
>>>> resource-ancestor=one
>>>> resource-ancestor=another
>>>>
>>>> URI matching wouldn't help him.
>>>>
>>>> Regards,
>>>> Erik
>>>>
>>>>
>>>> Rich.Levinson wrote:
>>>>> Hi Erik,
>>>>>
>>>>> With regard to your 2nd point on the comments/users list, it 
>>>>> appears to me that because the Hierarchical spec has the problems 
>>>>> that I have described in earlier emails, that the user has posed 
>>>>> his question in such a way that instead of advising the commenter 
>>>>> on what appears to me to be a simple obvious way to solve his 
>>>>> problem, you instead have been drawn into considering the user's 
>>>>> suggestion that we change the specs from the current explicit 
>>>>> description in section 2.2 to one that appears to me would 
>>>>> significantly undermine the intent of the current section 2.2.
>>>>>
>>>>> Now that we have hammered away at the hierarchical profile for 
>>>>> several emails, and if people have been reading the details, we 
>>>>> can now take another look at the question the commenter raised, 
>>>>> which I had previously said we should revisit in the context of my 
>>>>> proposal (item 3 here: 
>>>>> http://lists.oasis-open.org/archives/xacml/200902/msg00004.html).
>>>>>
>>>>> The commenter's question is here:
>>>>> http://lists.oasis-open.org/archives/xacml-comment/200901/msg00003.html 
>>>>>
>>>>>
>>>>> Your reply to him, where you said you would bring the issue to the 
>>>>> TC, is here:
>>>>> http://lists.oasis-open.org/archives/xacml/200901/msg00056.html
>>>>>
>>>>> This example shows exactly why I believe it is NECESSARY to add 
>>>>> the clarifying text that I have been talking about to section 3.2.
>>>>>
>>>>> It appears to me that this user has been clearly misled by the 
>>>>> spec to attempt to do what seems to me to be a wasteful and 
>>>>> pointless exercise of parsing URIs and then trying to make sense 
>>>>> of the collection of artifacts that he has produced. It appears to 
>>>>> me that this is totally unnecessary, and I would suggest that it 
>>>>> has been a waste of his time for being led down this path by the 
>>>>> specifications, which is the point I have repeatedly been making 
>>>>> that the specs are insufficient in section 3.2 in this regard .
>>>>>
>>>>> I am concerned that instead of addressing this type of problem 
>>>>> with the capabilities currently in the spec, that we are being 
>>>>> drawn down a path, which will effectively dismantle the perfectly 
>>>>> good functionality that is in the spec by removing the URI 
>>>>> capability as it currently exists.
>>>>>
>>>>> I think this user should be told that since his nodes are 
>>>>> currently identified by URIs that are in the form called for in 
>>>>> section 2.2 that he does not need to worry about collecting 
>>>>> ancestors etc. and all he needs to do is apply the XACML 2.0 
>>>>> anyURI-regexp-match as described in section A.3.13 of the core 
>>>>> spec and his problem is solved.
>>>>>
>>>>> As described in section 4.3 of the example doc in the archive 
>>>>> (http://www.oasis-open.org/committees/download.php/7315/xacml-profile-hierarchical-resources-nonXML-1.0-draft01.pdf), 
>>>>> this function is simply specified as:
>>>>> 
>>>>>
>>>>> This is the kind of guidance I am recommending that we add to 
>>>>> section 3.2 of the Hierarchical Profile.
>>>>>
>>>>> As I understand your email, an alternative suggestion to address 
>>>>> this user situation is to recommend that the user parse his URIs 
>>>>> into components, and that we change the spec to alter the 
>>>>> currently defined URI capability (to no longer be a URI 
>>>>> capability, with all the inherent capabilities of a URI) in order 
>>>>> that the customer be able to do this?
>>>>>
>>>>> Let me further point out that I don't think there is any need to 
>>>>> change the spec, because it already says in section 2 that governs 
>>>>> 2.2 that:
>>>>>
>>>>>     "The following sections describe RECOMMENDED representations for
>>>>>     nodes in hierarchical resources. Alternative representations of
>>>>>     nodes in a given resource are permitted so long as all Policy
>>>>>     Administration Points and all Policy Enforcement Points that deal
>>>>>     with that resource have contracted to use the alternative
>>>>>     representation."
>>>>>
>>>>> Therefore, if for some reason we advise against using what appears 
>>>>> to me to be an obvious standard capability described above with 
>>>>> anyURI-regexp-match, and would like users instead to parse their 
>>>>> URIs into components so that they can supply the components as a 
>>>>> collection of ancestors, I believe we are still able to do this 
>>>>> because the statement above appears to explicitly allows for 
>>>>> nonURI representations, in which case we would not have to do 
>>>>> anything to section 2.2.
>>>>>
>>>>> However, to be perfectly honest, I still see no advantage to 
>>>>> applying the bulleted capability procedure of section 3.2 to nodes 
>>>>> that are already identified by URIs.
>>>>>
>>>>> Comments welcome. I would really like to understand if there is a 
>>>>> legitimate reason for not using the URIs as is and replacing them 
>>>>> by collections of components.
>>>>>
>>>>>     Thanks,      Rich
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Erik Rissanen wrote:
>>>>>> All,
>>>>>>
>>>>>> I've been in a rush today, so I haven't followed every detail in 
>>>>>> the discussion, but basically, here is how it appears to me:
>>>>>>
>>>>>> * The profile, as it stands today, does specify the limited URI 
>>>>>> scheme which Rich describes. It says in section 2.2 that:
>>>>>>
>>>>>> --8<--
>>>>>> The 

On Feb 20, 2009, at 8:15 AM, Rich.Levinson wrote:

> Hi Erik,
>
> The problem presented by the commenter is analagous to:
>
>     State/City01/MainStreet
>     State/City02/MainStreet
>
> Just because two separate cities have a street named MainStreet  
> does not mean these are the same street. These are two distinct  
> normative identifiers for two distinct resources.
>

Yes, those are too distinct identifiers, and XACML does not need to  
know anything about its internal structure.    You could identify  
streets by there geographical coordinates, cities by zip codes and  
states by the last name of its governor.  It will work the same.   No  
naming schemes are needed in any form or shape.

You also want to be able to inherit the policy for a "street" from  
county.  County may be represented as "State/County" and city will  
not be on the path.  All you need to supply to PDP is an unordered  
bag containing
{"State/City01/MainStreet", "State/County1", "State/City01"}  If you  
decide to change county identifier to "Nevada County, CA", you do not  
need to change any naming schemes.   You will just need to update  
rules that target county and its descendants.   PDP should not care  
what do you use for identifying policy targets.

This approach introduces the absolute minimum (none) of new concepts  
that PDP need to understand.   You do not need to maintain and  
process any naming schemes.   It covers all possible structures for  
the purpose of policy inheritance.  It does not need to cover  
anything else.

The root of this whole discussion is that we have tried to use one  
document to describe two different solutions.  Proper course would be  
to split it, and leave one for XML documents/URI and one for  
"ancestors" approach.

P.S. On the side note, when we designed a protection scheme for XML  
data structures for what is now known as Oracle Data Service  
Integrator, we found it next to useless trying to rely on XML data  
structure for the purpose of policy inheritance.   We chose to bind  
schema elements directly to protected resources that followed their  
own separate and more generic hierarchy.   That allows a reuse of  
policies independent of transformation and re-factoring of the XML.    
That is similar to the issue of maintaining any hierarchical naming  
schemes for enterprise resources - you do want to decouple them from  
access policy rules.

Daniel;

  


Hi Daniel,


I think this appears to be a step in the right direction, and I have
modified the Subject line above to indicate this.


Let me try to find common ground inline below:


Daniel Engovatov wrote:
daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">

On Feb 20, 2009, at 8:15 AM, Rich.Levinson wrote:


  
Hi Erik,


The problem presented by the commenter is analagous to:


    State/City01/MainStreet

    State/City02/MainStreet


Just because two separate cities have a street named MainStreet does
not mean these are the same street. These are two distinct normative
identifiers for two distinct resources.


  


Yes, those are too distinct identifiers, and XACML does not need to
know anything about its internal structure.    You could identify
streets by there geographical coordinates, cities by zip codes and
states by the last name of its governor.  It will work the same.   No
naming schemes are needed in any form or shape.


While it is true that xacml does not "need" to know anything about the
internal structure of the identifiers, xacml at the same time "defines"
functions such as anyURI-regexp-match and a host of others designed to
deal with the internals structure of identifiers and capitalize on the
value inherent in those value-added constructs to a basic string.

daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">

You also want to be able to inherit the policy for a "street" from
county.  County may be represented as "State/County" and city will not
be on the path.  All you need to supply to PDP is an unordered bag
containing

{"State/City01/MainStreet", "State/County1", "State/City01"}  If you
decide to change county identifier to "Nevada County, CA", you do not
need to change any naming schemes.   You will just need to update rules
that target county and its descendants.   PDP should not care what do
you use for identifying policy targets.


I agree that it is desirable to be able to inherit policy. However, DAG
only offers a limited form of inheritance which is that all subordinate
nodes in all hierarchies of the node being attached to, as well as the
node itself inherit from the attaching node. In DAG this is automatic
and there is no stopping it.


A "Forest" which is a "disjoint set of trees" is a functionally
specialized value-added subclass of DAG. The value add is that all
nodes retain the knowledge of the tree in which they originated.
Therefore when a tree is added to a forest its member nodes retain
their original tree identity. As such, one has options on inheritance
not available in the more general DAG.


Some examples include that an attaching node can have its policy apply
to only the attached node, or any or all of the attached nodes
subordinates. This is a classic "task force" type capability where the
members of a task force are subordinate to the task force leader, but
the subordinates of the members are not unless explicitly selected to
be members.


DAG cannot support this construct, because it retains no information
about its connections other than source and destination node. i.e. any
hierarchical information in a set of attaching nodes is automatically
lost when joining the DAG.


daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">

This approach introduces the absolute minimum (none) of new concepts
that PDP need to understand.   You do not need to maintain and process
any naming schemes.   It covers all possible structures for the purpose
of policy inheritance.  It does not need to cover anything else.


Hierarchical naming schemes are really irrelevant for this discussion,
because their value is primarily for use with Forests. They have little
or no value in the more general DAG, so I can understand why you
consider them unnecessary and extraneous. However, for a Forest they
can have significant value.


From this perspective, I suppose one could say that section 2.2 is
"Forest-oriented" and section 3.2 is "DAG-oriented" since the
mechanisms in the two sections are really only useful for the framework
for which they have just been identified as "-oriented".

daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">

The root of this whole discussion is that we have tried to use one
document to describe two different solutions.  
I agree that the root of the discussion is that the document has
co-mingled two distinct conceptual frameworks for ordering a collection
of nonXML nodes:


  
DAG: a collection of (overlapping) trees with no cyclic routes
(also no memory or way to identify the original trees to which a node
belonged)
  
Forest: a disjoint collection of (overlapping) trees which may
have the exact same structure as any DAG (the disjoint property means
that the explicit trees of which each node is a member is retained,
which means one can always navigate the original hierarchies).

Basically,


  
if one applies a hierarchical structure of nodes across a DAG the
connections are retained but they are indistinguishable from the
connections already present in the DAG and so the hierarchical
properties of the added structure as distinct from the rest of the DAG,
are, in general, lost.
  
whereas if one applies the exact same hierarchical structure of
nodes across a Forest, which has the exact same connectedness within
its class as the DAG, the hierarchical connections within the structure
being added are retained AND they are permanently distinguishable and
one can use them to walk the original hierarchy and members can be
added and removed within the retained hierarchical structures within
the Forest.

  

daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">Proper course would be to split it, and leave one for XML
documents/URI and one for "ancestors" approach.


I think there are a variety of options available in addition to the one
you suggest.


Basically, I do not believe the public, in general, or even the highly
technical public can be assumed to understand the distinction between
Forest and DAG, at least not without a brief explanation similar to
what I tried to do above, so I recommend including such information,
possibly in the Glossary of any option.


Here are some options in addition to an explanatory glossary, I
consider reasonable:


  
Modify existing document so that nonXML nodes are described with
DAG option and with Forest option. This can be done minimally as
follows:
  

    
 Change the identifier in section 2.2 to indicate that
it is forest-oriented:

    

      
"urn:oasis:names:tc:xacml:2.0:profile:hierarchical:forest:non-xml-node-id"
    
    
Add an identifier in section 3.2 to indicate the
forest algorithms:

    

      
"urn:oasis:names:tc:xacml:2.0:profile:hierarchical:forest:non-xml-node-req"
    
    
Add an alternative set of bulleted algorithms to section
3.2, which are the same as the existing ancestor algorithms except
specify that only the parent and ancestor nodes of the requested node
are collected which are direct ancestors of one of the normative
identities of the requested node (which is possible, because with a
forest the original parent identifier is always retained for each
hierarchy the requested node still belongs to or has been added to
since joining the forest).

  
  
Any variation, rearrangement, separation, or enhancement,
building on the contents identified in #1.

I think that's it. The whole discussion boils down to definition of
Forest and DAG and the minor changes to the spec required to identify
the changes those objects imply, which simply boils down to retaining
some information when a node is added and using that information when
ancestor nodes are collected.


Notice also, that the forest can use either set of algorithms, since it
contains the information necessary for both.


Similarly, the URI naming scheme can, in principle, be used for both,
although it is much more useful in the Forest, however, it can,
remarkably, be used in the DAG to impute the properties of the forest
to the DAG.


daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">

P.S. On the side note, when we designed a protection scheme for XML
data structures for what is now known as Oracle Data Service
Integrator, we found it next to useless trying to rely on XML data
structure for the purpose of policy inheritance.   We chose to bind
schema elements directly to protected resources that followed their own
separate and more generic hierarchy.   That allows a reuse of policies
independent of transformation and re-factoring of the XML.   That is
similar to the issue of maintaining any hierarchical naming schemes for
enterprise resources - you do want to decouple them from access policy
rules.


Daniel;


Hopefully, some other people will be able to objectively review this
information in its consolidated form and provide input. Personally, I
can't think of much more to say about it. Also, I think it has been a
useful exercise, and I appreciate the time and effort that Daniel has
expended to help reach the current level of understanding of the
situation. I know I have learned a lot.


    Thanks,

    Rich


daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">


 The problem presented by the commenter is analagous to:

     State/City01/MainStreet
     State/City02/MainStreet

 Just because two separate cities have a street named MainStreet does not mean these are the same street. These are two distinct normative identifiers for two distinct resources.

  

 Yes, those are too distinct identifiers, and XACML does not need to know anything about its internal structure.    You could identify streets by there geographical coordinates, cities by zip codes and states by the last name of its governor.  It will work the same.   No naming schemes are needed in any form or shape.
 
 While it is true that xacml does not "need" to know anything about the internal structure of the identifiers, xacml at the same time "defines" functions such as anyURI-regexp-match and a host of others designed to deal with the internals structure of identifiers and capitalize on the value inherent in those value-added constructs to a basic string.

They are designed to be used against data defined outside of the XACML specification.  Key difference here is that XACML does not specify anything about them.  Nobody should be forced to invent and maintain a resource categorization scheme just to be able to use normative hierarchical policies.


 DAG cannot support this construct, because it retains no information about its connections other than source and destination node. i.e. any hierarchical information in a set of attaching nodes is automatically lost when joining the DAG.


No information other then that is needed for policy evaluation so it is omitted on purpose.     Details of the resource ontology supported by the external system are irrelevant to the PDP.


 
daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">
 This approach introduces the absolute minimum (none) of new concepts that PDP need to understand.   You do not need to maintain and process any naming schemes.   It covers all possible structures for the purpose of policy inheritance.  It does not need to cover anything else.
 
 Hierarchical naming schemes are really irrelevant for this discussion, because their value is primarily for use with Forests. They have little or no value in the more general DAG, so I can understand why you consider them unnecessary and extraneous. However, for a Forest they can have significant value.


Naming schemes should not be a subject of discussion as XACML does not need to know anything about any naming schemes.  They are part of an external system.    We may create a profile that make use of a naming scheme - and we have done that for "XML type" hierarchy, but I think it should not be a part of the core XACML.

 
daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite">Proper course would be to split it, and leave one for XML documents/URI and one for "ancestors" approach. 

 Basically, I do not believe the public, in general, or even the highly technical public can be assumed to understand the distinction between Forest and DAG, at least not without a brief explanation similar to what I tried to do above, so I recommend including such information, possibly in the Glossary of any option.


I have not had any troubles explaining the existing approach to both technical and non technical people so far.   This discussion is the first case.


 Here are some options in addition to an explanatory glossary, I consider reasonable:
 
  
Modify existing document so that nonXML nodes are described with DAG option and with Forest option. This can be done minimally as follows:
  
    
 Change the identifier in section 2.2 to indicate that it is forest-oriented:
    
    
      
"urn:oasis:names:tc:xacml:2.0:profile:hierarchical:forest:non-xml-node-id"
Making an incompatible identifier change is probably not a good idea.


daniel@streamdynamics.com,0984FBD0-516B-448A-AC41-8C4E7" type="cite"> P.S. On the side note, when we designed a protection scheme for XML data structures for what is now known as Oracle Data Service Integrator, we found it next to useless trying to rely on XML data structure for the purpose of policy inheritance.   We chose to bind schema elements directly to protected resources that followed their own separate and more generic hierarchy.   That allows a reuse of policies independent of transformation and re-factoring of the XML.   That is similar to the issue of maintaining any hierarchical naming schemes for enterprise resources - you do want to decouple them from access policy rules.

 Daniel;
 
 Hopefully, some other people will be able to objectively review this information in its consolidated form and provide input. Personally, I can't think of much more to say about it. Also, I think it has been a useful exercise, and I appreciate the time and effort that Daniel has expended to help reach the current level of understanding of the situation. I know I have learned a lot.



I think we really should have more then a single profile.  Existing one is a mess due to us presenting two concepts in the same doc.  Core one based on a bag of ancestors, and separate profiles for popular naming schemes, such as URI (or rather IRI, to make l18n folks happy). 

Daniel