OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Decision="Deny" with <Action>Read</Action> VERSUS Decision="Permit" with <Action>~Read</Action>


Hi Folks,

 

As I understand it, the AuthzDecisionStatement is used to indicate a decision (by an Identity Provider, IdP) regarding whether a subject should be allowed to access a resource.

 

Suppose that the resource is “employee salaries”.  Here’s the resource URL:

 

    Resource=”http://www.CarRentalInc.com/employees/salaries

 

Suppose the decision is to deny read-access.  There seems to be two approaches to express this:

 

 

Approach 1

 

<AuthzDecisionStatement Resource=”http://www.CarRentalInc.com/employees/salaries

                                      Decision=”Deny”>

      <Action Namespace=”urn:oasis:names:tc:SAML:1.0:action:rwedc-negation”>Read</Action>

</AuthzDecisionStatement>

 

 

Approach 2

 

<AuthzDecisionStatement Resource=”http://www.CarRentalInc.com/employees/salaries

                                      Decision=”Permit”>

      <Action Namespace=”urn:oasis:names:tc:SAML:1.0:action:rwedc-negation”>~Read</Action>

</AuthzDecisionStatement>

 

 

In Approach 1 the decision is to Deny Read access to the employees salaries.

 

In Approach 2 the decision is to Permit not Reading to the employees salaries.

 

Questions:

 

  1. Are both approaches stating the same thing?
  2. Which approach is preferred?

 

Thanks!  /Roger

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]