[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Some queries regarding RBAC and XACML Profile for delegation.
Dear Erik,
> Oh, I see now what you want. You want to add administrative rights for
> roles. There is no way right now in the profile to define a target that
> will match both access and administrative requests, so you cannot mix
> access rights and administarive rights in the same role using only a
> single policy set. For now, I suggest you create a second RPS for
> administrative rights, which can then refer to another PPS with the
> administrative rights.
>
> For this second RPS, you can use a empty Delegate element in the target,
> which will match any administrative request and then you can fill in the
> details in the PPS.
>
I think you didnot gett me, and thats why it was difficult for me to get
you. How i am percieving :
- An Access request comes, and it will first matched by an Access policy
by the Policy Decision point (PDP)
- Matching is done using RBAC, as you described in your email i.e. we have
a RPS and then that RPS will refer to a PPS.
- If there is no match , or if the result is even deny then , PDP dont
simply gives answer back to the PEP but
- it will check for a Delegation Policy , and then the whole process
begins which is illustrated in the profile.
- Now, i am not clear about your point, could you plz give me some example
that how e.g. i can make use of Role Heirarchies, in your profile, keeping
seperation between access policies and
Administrative policies. I am not sure about using an Empty Delegate
Element ??
regards,
Muhammad.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]