Dan Gradl [
http://community.jboss.org/people/dgradl] created the discussion
"XACML Resource Management"
To view the discussion, visit:
http://community.jboss.org/message/639710#639710
--------------------------------------------------------------
This is a post in a serious of discussions I am starting to get some discussion going on
XACML. I led the implementation of XACML on a large scale using the original SunXACML
libraries as the PDP and I am sharing some of my insights as a way to elicit some
requirements on the further development of XACML. The original post and index to these
discussions is
http://community.jboss.org/thread/175091?tstart=0
http://community.jboss.org/thread/175091?tstart=0.
This discussion thread is to discuss managing resources as it relates to XACML. I think
this is actually just a part of the policy administration point where you will be
authoring the policies about who has access to what. However, there is just a few details
of resource management that I would like to bring up here.
The first thing to discuss is that resources can often be organized into a hierarchy, in
which you may want to grant access at the parent level in some cases or at finer grain
level than others. If your resources are pages in a web application, perhaps you want to
grant access to an entire section of a site, or maybe another user just has access to one
page. So the resource management capability needs to be able to organize them into a
hierarchy. The JBoss PDP is capable of decisioning based on hierarchy, but a way to
manage it is necessary.
The other item is that many of the resources you need to protect are already defined in
some other way and just need to be imported or synchronized to the central resource
directory. When the application server starts up it is able identify all of the
available servlets, ejbs, and other resources from deployment descriptors, rather than
requiring a XACML administrator go into the PAP and create all these resources, and
maintain them as they are added/removed within an application... there should be a way for
the application server to communicate with the PAP to keep the resource directory
synchronized. Its also possible that the resource being protected is not an application
resource, but a data resource (access to an account), and this too may need
synchronization (between an operational database and the resource directory).
--------------------------------------------------------------
Reply to this message by going to Community
[
http://community.jboss.org/message/639710#639710]
Start a new discussion in PicketBox Development at Community
[
http://community.jboss.org/choose-container!input.jspa?contentType=1&...]