[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: an idea about XACML Admin Draft
Dear XACML Committee, During reading and using XACML Administrative policy draft (thanks Mr. Erik Rissanen patiently help me precisely understanding the draft) , I feel the policy/policyset type definition and the deletage in rule matching processing is not clear. I think changing some definitions maybe make it clearer. My ideas are following. Adding an attribute in policyset and policy. The attribute likes : <xs:attribute name=¡±PolicyType¡± type=¡±xacml:policyType¡± use=¡±required¡±> The value of policytype maybe Access, Administrative and both. Access and both mean the policy/set is applied to access request. Administrative and both mean the policy/set is applied to adminstrative request. The AllowAccessRequest attribute of Delegates could be deleted. If policytype is access , it is never match administrative request. If policytype is administraitve, it is never match access request. If policytype is both, request is access request the delegate is missing. Then,the delegates processing idea is same as Subjects, Resources etc. If the policy/set is administrative policy ,for an administrative request, it means there is no constraint or any delegate. The rule evaluation processsing almost same as xacml core,except adding delegate matching,but which is same as Subjects etc. Another virtue is we could hierarchically describing constraints on delegate through policyset, policy and rule. Best Regards ----------------------------------------------------------------------- Li XiaoFeng Email:xiaofeng03 (at) iscas (dot) cn lxf (at) is (dot) iscas (dot) ac (dot) cn Department:LOIS,Institute of Software Chinese Academy of Sciences Address:4# South Fourth Street, Zhong Guan Cun, Beijing,P.R. CHINA ----------------------------------------------------------------------- 2006.08.4
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]