If we delete the original policy then anyone can access the data more than 10 times. Whitelisting is needed to avoid alerts for valid usage of data which may not apply for the 99%. Why not when we process the events for policies we also do a quick check on the "whitelists" first then do the comparison for the other policies.
By this we will catch if a particular event is ok under a whitelist. Then its only normal processing. Thanks, Arun >For UC1 ³allow user to only access some particular data², it is a good >business use case. Technically we should be aware of that each policy will >be evaluated once for each event or each window of events. >So, for a particular user, we can¹t define 2 or more such whitelist policy >as today each policy is independently evaluated. >For UC2 why not just delete original policy? It looks it introduce another >complexity of policy priority. You would like the new whitelist policy to >override original policy. We should discuss. > On Wed, Nov 11, 2015 at 4:22 PM, Zhang, Edward (GDI Hadoop) < [email protected]> wrote: > resent > > On 11/8/15, 11:53, "Zhang, Edward (GDI Hadoop)" <[email protected]> wrote: > > >For UC1 ³allow user to only access some particular data², it is a good > >business use case. Technically we should be aware of that each policy will > >be evaluated once for each event or each window of events. > >So, for a particular user, we can¹t define 2 or more such whitelist policy > >as today each policy is independently evaluated. > > > >For UC2 why not just delete original policy? It looks it introduce another > >complexity of policy priority. You would like the new whitelist policy to > >override original policy. We should discuss. > > > >Thanks > >Edward Zhang > > > >On 11/8/15, 9:11, "Manoharan, Arun" <[email protected]> wrote: > > > >>Hi Folks, > >> > >>There is a need for a whitelist feature in Eagle. > >> > >>Current Feature: > >>Today most of the policies are set based on ³If any user access abc.dat > >>data 10 times send an alert². > >> > >>UC1: > >>In case of a whitelist you can say ³Allow user Arun to only access > >>particular data sets like abc.data² If anything else send an alert. > >> > >>UC2: > >>You can white list a user to say this user ³Y² can access abc.dat more > >>than 10 times. This should not trigger an alert which was originally put > >>in place based on [current feature]. > >> > >>I would like to start the discussion on this feature. > >> > >>Thanks, > >>Arun > >
