Re: [xacml-dev] Username in the <Delegate> element

["Muhammad Masoom Alam" <Muhammad.alam@uibk.ac.at>]

Hi,

Infact, i meant for putting a complex object e.g. representing the <Issuer> 
in the policy. Accordingly there will be a complex object in the <Delegate> 
Element.

Another thing is that what about using RBAC profile for rights delegation 
too. I had a look at the discussion regarding its pros/cons. but what is 
your personal opinion about it
 In my opinion, without it, things are more clearer, e.g.

"A role R wants to delegate his rights on some service S  to role R"

Here, service S is only permitted to some members of Role R according to 
their characteristics.

Now, if one of the member which have previlege wants to delegate the right 
to use service S to one of the member of role R then ?


make sence?

regards
Muhammad.



----- Original Message ----- 
From: "Erik Rissanen" <mirty@sics.se>
Cc: <xacml-dev@lists.oasis-open.org>
Sent: Thursday, August 04, 2005 2:41 PM
Subject: Re: [xacml-dev] Username in the <Delegate> element


> Muhammad Masoom Alam wrote:
>
>>Hi all,
>>
>>   In the XACML Administration Profile V7 have Username as subject-id. It 
>> makes a bit difficult to get the attributes of the delegator since 
>> subject is the delegatee not the delegator according to the profile.
>>
>>  Can we add some complex Object representing the delegatee and delegator 
>> in stead of simple user name. Even a role name will not be sufficed in 
>> this case of dynamic delegation.
>>
>>regards
>>Muhammad.
>>
>>
>
> You can put any attribute in the Delegate element, and the context
> handler should be able to resolve the attributes in the same way as the
> attributes of the Subject. Why cannot you get the attributes of the
> Delegate? Could you explain in more detail?
>
> Regards, Erik
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
>
>