RE: [xacml-dev] Groups handling

["Yair Sade" <yairs@cyber-ark.com>]

Hello,

Another issue is how to express "permission to give permissions"

I would like to authorization to be something like:

"permit subject x (to give permissions subject w to resource y with
attributes constraints z) with attribute constraints v"

For example:

Permit user x to give permissions for user w between 2pm-8pm to write-access
on file y with write-action with attribute security-level=sensitive

Here I have:
a subject - user x, 
an action - "give permissions"
an attribute (or maybe another subject) - user w
an attribute - between 2pm-8pm 
an attribute (or maybe another action) - write-access
a resource - file y
an attribute - security level

Is there any standard to express permission to give permissions?

Thanks,
Yair



-----Original Message-----
From: Kuketayev, Argyn (Contractor) [mailto:argyn_kuketayev@fanniemae.com] 
Sent: Tuesday, September 20, 2005 3:53 PM
To: xacml-dev@lists.oasis-open.org
Subject: RE: [xacml-dev] Groups handling

You can groups your subjects by a certain attribute. E.g. you can an
attribute "group-id", and assign it all groups of this subject. It'll be
similar to LDAP, imho.

RBAC is when you need a standard way to handle roles with inheritance
and so on. It follows NIST standard on RBAC.

argyn

The electronic mail message you have received and any files transmitted
with it are confidential and solely for the intended addressee(s)'s
attention. Do not divulge, copy, forward, or use the contents,
attachments, or information without permission of Fannie Mae.
Information contained in this message is provided solely for the purpose
stated in the message or its attachment(s) and must not be disclosed to
any third party or used for any other purpose without consent of Fannie
Mae. If you have received this message and/or any files transmitted with
it in error, please delete them from your system, destroy any hard
copies of them, and contact the sender.      

 

> -----Original Message-----
> From: Yair Sade [mailto:yairs@cyber-ark.com] 
> Sent: Tuesday, September 20, 2005 9:20 AM
> To: xacml-dev@lists.oasis-open.org
> Subject: [xacml-dev] Groups handling
> 
> Hello,
> 
>  
> 
> Is there any standard way to implement groups in XACML access 
> control (as standard access control systems as LDAP 
> directories, windows, etc.)?
> 
> The only close thing I've found is the RBAC profile which is 
> not exactly the same.
> 
>  
> 
> Thanks,
> 
> Yair
> 
> 

---------------------------------------------------------------------
This publicly archived list supports open discussion on implementing the
XACML OASIS Standard. To minimize spam in the
archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/xacml-dev/
Committee homepage: http://www.oasis-open.org/committees/xacml/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/