Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>(I'm the technical lead for TSPM, or Tivoli Security Policy Manager for others that aren't familiar with the product).</p> <p>The use case you're describing is definitely possible. You probably don't need to focus on the raw XACML though - we go to a lot of effort to provide a higher-level user interface for authoring policies.</p> <p>One way to model this would be to have each link be represented by a different structure point in TSPM's UI, with appropriate policy attached to each. For example, two links could have policy that represents "permit all users at any time" and one link could have "permit when current-time is before midnight".</p> <p>You would then call our runtime before rendering each link to see if the currently authenticated user should be able to view it. You could also make one call to get a list of currently viewable links if you prefer.</p> <p>You could use the WebSphere Portal tag library or our Authorization API if you're running on WebSphere. If you're not, it's really easy to build a web service client for most platforms that can call over authorization service using XACML over SOAP. For more information on calling the authorization service, see our <a href="https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Tivoli%20Security%20Policy%20Manager/page/Developing" rel="nofollow">public wiki</a>.</p> <p>Edit:</p> <p>I realized I didn't really address your question, which is about what a resource is in terms of XACML. As you may know, XACML breaks the request context into four sections: Subject, Resource, Action and Environment. Each of these sections contains zero or more Attributes, each with an identifier and a type. A resource in XACML is simply an attribute, or a combination of attributes, from the Resource section that together uniquely identifies whatever you're protecting.</p> <p>The spec defines the identifier <code>urn:oasis:names:tc:xacml:1.0:resource:resource-id</code> for this purpose, and it can be of any type but is usually a string or a URI.</p> <p>In your use case, each link might have a string identifier like "link-1", "link-2" and "link-3". Your policy would use these identifiers, and your application would pass these in when requesting a decision for each link.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload