[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Some queries regarding RBAC and XACML Profile for delegation.
> If you do not have an access result that says "permit", then you do not > need to generate an administrative request. Perhaps you mean that, even > if you get a not applicable for the access request against one policy, > you still need to try all other policies. Yes, that is true, but all the > administrative policies will evaluate to not applicable to an access > request. I am keeping seperate the Normal Access Policies and Delegation Policies (Whether Administrative or User Issued). So if an Access Request comes. -- First it will be matched against a Normal Access policy or policies. -- Suppose if there is "permit", ofcourse i dont need to check the Delegation policies then (Agreed). -- but if result is Deny (this is important) or notApplicable, then i will have to look at the Delegation policies. here i think i am not getting you when you only mention notApplicable and leave Deny. The thing is that it is possible that a role is completely denied accessing an operation from Normal Access policies, but delegation policies allows it. Thats why, i think so in case of both NotApplicable and Deny, PDP will query the Delegation policies. regards Muhammad.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]