[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Use case for AttributeQuery that includes AttributeValue
I would like to advocate for including an optional AttributeValue
in an AttributeQuery.
Here is a use case. In role based access control, there is often
a need for "separation of duty", where a subject may hold only
one of two conflicting roles at a time - if the subject already
has role A activated for the current session, then the subject is
not allowed to have role B activated. For example, if the
subject already has the "purchase requester" role activated, then
the subject may not have the "purchase approver" role activated.
In such a case, it is not possible to request all attributes for
the subject, or even all attribute with Name="Role". Even though
the subject is permitted to hold either the "purchase requester"
or the "purchase approver" role, the subject is not allowed to
hold both.
The access control policy evaluator must first determine what
action the subject is trying to perform ("request a purchase" or
"approve a purchase") and then request the particular required
value of the Name="Role" attribute from an Attribute Authority
(via a SAML AttributeQuery, if AttributeValue requests are
supported).
It would be possible in this case to create two separate
Boolean-valued Attributes, one with name "PurchaseRequestRole"
and the other with name "PurchaseApproverRole", but this is
imposing unnecessary constraints on the definition and management
of Attributes.
Anne Anderson
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]