Re: [regrep] [Proposed Change] Replace Association confirmation withreference access control

["Carl Mattocks" <carlmattocks@checkmi.com>]

In my mind I have 'reserved' the use of 'assertion' for 'core component
building' thus being a key part of 'Context Declaration' ...
acknowledged it would be useful to state who (and their role) formed any
(& all) 'object association cum classification'  ... is it not  better to
leverage the policies & rules structures of XACML to establish how this
should be done ?


<quote who="Duane Nickull">
> My opinion is that "who" makes the assertion is an essential part of the
> association.  Their views may not necessarily be 100% correct or agreed
> to by all parties since things like context of use can affect semantics.
>  I would support that someone can make a unilateral assertion and we
> have a mechanism whereby a reciprocal association can be declared or
> agreed to.
>
> One issue may be manageability.  Imagine UBL puts its schema into a
> registry and gets 50,000 people each asserting via associations they
> "use" certain objects.  The owner of UBL in that registry may not want
> the responsibility of having to respond to each and every case.
>
> My $0.02
>
> Duane
>
>
>
> Farrukh Najmi wrote:
>
>>
>> I am working actively on the 2.9 spec (precursor to 3.0). In version
>> 2.5 and earlier we have a concept of
>> Association Confirmation as defined in section 8.6 of ebRIM 2.5. The
>> idea is that in an extramural association
>> (association between objects owned by different parties) if I create
>> an association with someone else's object
>> they MUST confirm that association in order for it to be fully valid.
>> There are clumsy ways to confirm and
>> unconfirm an extramural Association described in 8.6.2 and 8.6.3.
>>
>> In version 2.9 we will add clarifications to the XACML feature to
>> define precisely how fine grained access
>> control can control WHO gets to REFERENCE a RegistryObject and under
>> what circumstances. The WHO is
>> the Subject, the REFERENCE is the Action and the RegistryObject is the
>> resource.
>>
>> For example you will be able to define an ACP that say:
>>
>> I allow a reference to my object to be created only if all the
>> following conditions are met:
>>
>> a) The subject making the reference has role "ProjectLeader"
>>
>> b)  that reference is from an Association instance
>>
>> c) the reference is being made via the sourceObject property of
>> Association
>>
>> d) the value of the associationType attribute in association
>> identifies the "Supercedes" associationType
>>
>> Given this powerful and flexible capability it seems very clumsy and
>> unnecessary to have the
>> existing Association confirmation feature.
>>
>> I would like to propose that we remove Association Confirmation
>> feature and instead leverage the
>> reference Access Control feature to control who can create an
>> extramural association to someone else's
>> objects. This simplifies the spec greatly and can also be another
>> example where our specs use a few
>> good primitive features to support higher level features or
>> requirements.
>>
>> Thoughts?
>>
>


-- 
Carl Mattocks

co-Chair OASIS (ISO/TS 15000) ebXMLRegistry Semantic Content SC
co-Chair OASIS Business Centric Methodology TC
CEO CHECKMi
v/f (usa) 908 322 8715
www.CHECKMi.com
Semantically Smart Compendiums
(AOL) IM CarlCHECKMi