[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Decision="Deny" with <Action>Read</Action> VERSUS Decision="Permit" with <Action>~Read</Action>
|
Roger, Definitely prefer Approach 1 It is clear you do not have read authorization. For Approach 2, I have to ask what is
authorization of “what could be interpreted as “non-read”
operation mean.” What I am saying is that form would confuse most of the implementers
around me. Technical Data Integrity - System
Architect 817-763-3372 michael.a.barnhart@lmco.com From: Costello, Roger
L. [mailto:costello@mitre.org] Hi Folks, As I understand it, the AuthzDecisionStatement is used to
indicate a decision (by an Identity Provider, IdP) regarding whether a subject
should be allowed to access a resource. Suppose that the resource is “employee
salaries”. Here’s the resource URL: Resource=”http://www.CarRentalInc.com/employees/salaries” Suppose the decision is to deny read-access. There seems
to be two approaches to express this: Approach 1 <AuthzDecisionStatement Resource=”http://www.CarRentalInc.com/employees/salaries”
Decision=”Deny”> <Action
Namespace=”urn:oasis:names:tc:SAML:1.0:action:rwedc-negation”>Read</Action> </AuthzDecisionStatement> Approach 2 <AuthzDecisionStatement Resource=”http://www.CarRentalInc.com/employees/salaries”
Decision=”Permit”> <Action
Namespace=”urn:oasis:names:tc:SAML:1.0:action:rwedc-negation”>~Read</Action> </AuthzDecisionStatement> In Approach 1 the decision is to Deny Read access to the
employees salaries. In Approach 2 the decision is to Permit not Questions:
Thanks! /Roger |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]