OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-comment] who should use XACML?


You need to provide more details on your authorization scenarios. I think, in general, if your authorization rules depend on many attributes and rules that are constructed using these attributes then XACML is a good match.

I can give you an example on what kind of rules I've implemented for my employer.

Bill Pay Authorization:
-------------------
1. If number of transactions is bigger than T within period of time P, disable BillPay
2. If amount of transaction is bigger than X or smaller than Y disable BIllPay  
3. If type of payment is not in the list disable BillPay
4. If a user is signed up for the Bill Pay service use different set of rules (T, P, X, Y will be different)
...

and so on. I had approximately 10 business rules like that for BillPay.

If you can easily derive all your authorization decisions from a user ID only then I would not recommend using XACML - use a traditional RBAC model instead, because XACML will definitely add complexity and increase the cost of your authz solution.



--- On Mon, 9/22/08, kurt steele <arcticranger3@yahoo.com> wrote:

> From: kurt steele <arcticranger3@yahoo.com>
> Subject: [xacml-comment] who should use XACML?
> To: xacml-comment@lists.oasis-open.org
> Date: Monday, September 22, 2008, 12:33 PM
> I am doing some research for a media firm in NYC and I have
> a simple question.
>  
> They need a solution for:
>  
> 1. authorization of users of our CMS
> 2. general users of our public entertainment websites. 
> There are 300 or so of these and the rights policies can be
> complex.  The policies often specify restrictions based
> on geographic location of the subject and the resource.
>  
> Is XACML targeted at both of these scenarios?  Or
> is it only meant for inter-agency or inter-company rights
> interaction?  
>  
> I find it hard to equate internal CMS access with public
> website access, they seem like very different animals to
> me.  So any views on that would help also.
>  
> Thanks.  
>  
> Arc





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]