Now I'm more confused. Is E1 a resource being protected, or an Entity being given a permission?
When I re-read the example, it looks like you're allowing E3 and E4 to perform <operation> on E1.
Is that right, or is E1 being granted permission to perform the <operation>?
>>> "Drummond Reed" <drummond.reed@xxxxxxxxxxxx> 06/26/08 4:33 PM >>>
The operation is not represented as an entity. It’s just an arc (URI) between the PolicyEntity and the Entity to which permission for the operation is being granted.
higgins-dev-bounces@xxxxxxxxxxx [mailto:higgins-dev-bounces@xxxxxxxxxxx]
Jim Sermersheim
Thursday, June 26, 2008 12:33 PM
higgins-dev <higgins-dev@xxxxxxxxxxx
[higgins-dev] Re: Revised access control policy Entity modeling
Why is the operation represented as an entity? Is it more complex than a simple URI?
>>> Paul Trevithick <paul@xxxxxxxxxxxxxxxxx> 06/26/08 11:15 AM >>>
Hi Jim,
After conversations with Drummond, it appears that there is a simpler way to model the access control semantics of a PolicyEntity. The new proposal is shown below and attached as a TIFF. Only one of the higgins:subject arcs shown below would be needed in the simplest case, but I drew both to show both possible kinds of subjects. As I hope is self-evident, the example below states that subject E3 and subject E4 are permitted <some kind of operation> (e.g. higgins:get, higgins:mod, higgins:del) on Entity E1 (that is, any or all Attributes of E1).
-Paul
|