[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] One suggestion regarding Negative Delegation
Yes, this policy should work and is supported by the current draft for the profile. Erik Muhammad Masoom Alam wrote: > Dear Erik, > > > In the following i am giving my suggestion for negative rights > delegation what is your opinion ? > > > Abbrevations Used: DRPS = Delegation Role Policy Set, DPPPS = > Delegation Positive Permission Policy Set, DNPPS = Delegation Negative > Permission Policy Set. > > <PolicySet PolicySetId="DRPS:Role_A" Combining Algorithm = > "deny-overrides"> > <Target> > <Subjects> <AnySubject/> </Subjects> > <Resources> <AnyResource/> </Resources> > <Actions> <AnyAction/> </Actions> > <Delegate> > <DelegateMatch MatchId="string-equal"> > <AttributeValue DataType="string"> > Role_A</AttributeValue> > <DelegateAttributeDesignator AttributeId="role" > DataType="string"/> > </DelegateMatch> > </Delegate> > </Target> > <PolicySetIdReference>DNPPS:Role_A</PolicySetIdReference> > <PolicySet PolicySetId="DPPPS:for:Role_A" Combining Algorithm = > "permit-overrides"> > <PolicySetIdReference>DPPPS:Role_A</PolicySetIdReference> > <PolicySetIdReference>DenyPolicy</PolicySetIdReference> > </PolicySet> > </PolicySet> > > > The over all mechanism of the above policy is as follows: > > 1. DRPS contains references to two policies DPPPS:Role_A and > DNPPS:Role_A which represents the negative and positive delegation > permission policy set respectively. > 2. A gerneral DenyPolicy is given, such that if non of the policy is > applicable from the DPPPS:Role_A, then a gerernal DenyPolicy will be > applicable. > 3. The combining Algorithm (top most "Deny-overrides") are > structured in such a way that DNPPS:Role_A will always have precedence. > 4. The Permisson Policy Set either positve or negative will contain > the respective definitions of the permissions. > > > I hope i was able to convey my Idea, > > regards, > Muhammad. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]