Phil Windley presents another effort (or two or three) to take some existing functionality and express it as an XML-based standard.
XACML is the language of the Policy Decision Point, of PDP. The PDP is the chunk of code that recieves access requests, checks to see whether they should be granted, and returns an appropriate response. The PDP is not necessarily the same as the place where credentials are stored. It merely needs access to that service, ideally via SPML. The PDP could be a module running in the local system or a remote system accessed over the Internet.
Again I have to plead ignorance and plea for the principles, guidelines, and scenarios for when to use this functionality. Why is this the right thing to do? Is it ready to use? When would I choose something else? I hope I can dig into the references and find this information.
For example why are ACLs the right model? A capability-based model might be more appropriate, e.g. as provided by Waterken.
No comments:
Post a Comment