OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-dev] XACML and Constrained RBAC


Hi Fatih,

I think the first question is, if there is an implementation which
supports RBAC out of the box. Even the XACML RBAC profile does not make
any statement about the user assignment, bot only defines the
(equivalent) to the permission assignment. For my understanding, RBAC
and especially Constrained RBAC with DSoD relies heavily on the concept
of sessions, which on the other hand needs some integration into the
application landscape. E.g., this could be implemented with a PAP which
allows to add roles to a session and a PIP which queries the current
roles assigned to a session. And, you need to introduce the concept of a
session for the stateless XACML PDP.

However, I think XACML allows you to model more powerful DSoD
constraints in a much simpler way. For example, to model the SoD in a
travel request (i.e., the one who is requesting a travel may not be the
one who approves the travel request) you can use a condition. A permit
rule allows a manager to approve travel requests, but the condition
excludes the case where attribute subject-id and attribute requestor are
equal, i.e., in a simplified form, the xacml rule could look like

<Rule Effect="Permit">
 <Target>
  <Action>approve</Action>
  <Resource>TravelRequest</Resource>
  <Role>manager</Role>
 </Target>
 <Condition FunctionId="not">
  <Apply FunctionId="string-equal">
   <Attribute>subject-id</Attribute>
   <Attribute>requestor</Attribute>
  </Apply>
 </Condition>
</Rule>

I know, this is not a direct answer to your question, but hopefully it
helps anyway...

Regards,
  Helmut

On 10/26/2011 10:24 PM, Fatih Turkmen wrote:
> Hi all,
> 
> I am mostly aware of the scientific literature about XACML and its
> extensions
> (both architecturally and syntactically) for Constrained RBAC. However,
> is there
> any XACML implementation (i.e. PDP, PEP etc) that supports for instance
> Dynamic Separation of Duty (DSoD) out of box and perhaps accessible somehow?
> 
> Thanks in advance.
> 
> -- 
> Fatih Turkmen
> Web: http://sites.google.com/site/fturkmen/
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]