This is a post in a serious of discussions I am starting to get some discussion going on XACML. I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML. The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0.
This discussion thread is to discuss managing resources as it relates to XACML. I think this is actually just a part of the policy administration point where you will be authoring the policies about who has access to what. However, there is just a few details of resource management that I would like to bring up here.
The first thing to discuss is that resources can often be organized into a hierarchy, in which you may want to grant access at the parent level in some cases or at finer grain level than others. If your resources are pages in a web application, perhaps you want to grant access to an entire section of a site, or maybe another user just has access to one page. So the resource management capability needs to be able to organize them into a hierarchy. The JBoss PDP is capable of decisioning based on hierarchy, but a way to manage it is necessary.
The other item is that many of the resources you need to protect are already defined in some other way and just need to be imported or synchronized to the central resource directory. When the application server starts up it is able identify all of the available servlets, ejbs, and other resources from deployment descriptors, rather than requiring a XACML administrator go into the PAP and create all these resources, and maintain them as they are added/removed within an application... there should be a way for the application server to communicate with the PAP to keep the resource directory synchronized. Its also possible that the resource being protected is not an application resource, but a data resource (access to an account), and this too may need synchronization (between an operational database and the resource directory).