RBAC Profile for XACML

["Muhammad Masoom Alam" <Muhammad.alam@uibk.ac.at>]

Hi Seth and all,

i am stuck again into XACML profile for RBAC.

  According to RBAC, we have RPS (Role Policy Set) and PPPS (Permission 
Policy Set) Where, RPS contains the role definition (RoleName) and 
references to PPPS and PPPS contains the actual permission with a rule (if 
any).
Now considor i have a Role A , which have two permissions associated with 
it, one is Positive Permission Policy Set(PPPS) and one is 
NegativePermission Policy Set (NPPS).

The structure of the Role Policy set is (as you described in one of your 
email is ),this is some simplified XACML.


  <PolicySet PolicySetId="RPS:RoleA" Combining Algorithm = "deny-overrides">

            <PolicySet Combining Algorithm = "permit-overrides">

                    <PolicySetIdReference>PPPS:RoleA</PolicySetIdReference>

                    <PolicySetIdReference>DenyPolicy</PolicySetIdReference>

            </PolicySet>


            <Target>

                Role Definition

            </Target>

                    <PolicySetIdReference>NPPS:RoleA</PolicySetIdReference>


</PolicySet>


now considor RoleA inherits from RoleB some  permissions , there fore, the 
PPPS:RoleA will contains a reference to the PPPS of RoleB (i.e. PPPS:RoleB).
if generally, there is no rule applicable to RoleA in the PPPS of RoleB, a 
general "DenyPolicy" (from the Role Policy Set) will be applicable which is 
not a right behaviour, since RoleA inherits from RoleB, and if there is no 
rule applicable in the inherited Role permission policy set (PPPS:RoleB), it 
shall give permit (if NPPS:RoleA is not applicable or gives true).


am i right ??
if yes, what can be the other solutions.


regards
Muhammad.