OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Some queries regarding RBAC and XACML Profile for delegation.

  Hi Erik ,
I hope i am not borring you?

  I have  some queries regarding the latest Profile for Delegation of XACML 
V7


The first question is, whether an Issuer can Constrain the delegation, or 
Delegation can only be constrained by Adminisration Policies. As stated in 
Profile that "In case <PolicyIssuer> element is present, then combinining 
Algorithms that can result in "Deny" SHALL NOT be used". ??

The 2nd question is that in the Administration Policy, uptil which level we 
can constrain delegation e.g. in the Administration Policy it can be 
specified that Carol can Delegate to Bob, by means of 
DelegateAttributeDesignator and LaterDelegateAttributeDesignator. But is 
this possible to further constrain that to whom Bob can delegate further??. 
If we specify a new administration policy take Bob as Delegatee, then what 
will be the value of the first policy in this regard. I mean, if Bob can 
delegate to Mallory (by an Administraton Policy), then there is no need to 
ask, that whether Bob is Authorized himself or not?? and on the other hand, 
if we can constrain multiple level of delegation, then it makes a long chain 
isnt so?

Another issue is the integration of RBAC Profile for XACML with this 
delegation Profile.
                    e.g. i have Role A, and Role B and Role B is super Role 
of Role A so how his inheritence relationship works in XACML profile
                         --    There will a Role Policy Set (RPS) for every 
Role e.g. A & B
                         --    There will be Permission Policy Set (PPS) for 
every Role too.
                        --     Now, RPS will only contains Role Definition 
and will reference PPS e.g. As Role B is the super Role of Role A, there 
fore, RPS of  B will refer to its PPS and then PPS of B will refer 
to PPS of  Role A , to make this inheritence relationship in the XACML.


Now considering the same for Delegation Profile

i think so

 we can have RPS like this

 <PolicySet>

<Policy PolicyId="RPS_Role_B" 
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<AnySubject/>
<AnyResource/>
<AnyActioin/>

<Delegates>
<Delegate>
<DelegateMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>RoleB</AttributeValue>
<DelegateAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</DelegateMatch>
</Delegate>
</Delegates>
</Target>

<PolicySetIDreference> PPS_OF_RoleB </PolicySetIDReference>
</PolicySet>


and then PPS of Role B will contain the Definition of actual permission with 
a reference to PPS of role A since it is the super Role. make sence ??

<PolicySet>
<Policy PolicyId="Policy PPS_OF_RoleB"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValueDataType=http://www.w3.org/2001/XMLSchema#string
>employee</AttributeValue>
<SubjectAttributeDesignator
AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>printer</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions> <Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>print</AttributeValue>
<ActionAttributeDesignator 
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule RuleId="Rule1" Effect="Permit">
<Target>
<Subjects><AnySubject/></Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
</Rule>
<PolicySetIdReference> PPS_OF_ROle_A </PolicySetIdReference>

</PolicySet>

The thing is that RPS will only contains the Delegate element and will 
reference the PPS where as PPS will contains permission and additionally a 
referece to another PPS for inheritence relationship.


I hope i was able to convey my idea.
with Best regards
Muhammad.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]