[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Access time constraints implementation
I need to implement the following feature: deny access to certain feautures of the system to users (based on their RBAC role) at certain times. For example, the system should not allow updated of objects of type A to users with a role ADMIN from July 1 to July 15. There could be several rules like that for different roles, objects and times. I have implemented RBAC profile, so theoretically I can add these rules into my PPS (permission policy set). I'd prefer not to do it, because RBAC policy sets are very important and require thorough tests. If I change something there, then the testing is time consuming. Also, these policies are pretty static, there were no changes for several months. In contrast, time constraints are dynamic. They can change several times during one quarter. Therefore, I don't want to mix in "dynamic" rules and "static" ones. I was thinking about the following solution, and need an advice/critique. My current RBAC PDP brings in the policy set with all applicable policies, then evaluates it against the request. I'll add a special policy with "dynamic" time constraints. It will contain a set of "deny" rules to block access to certain features of the system. My new PDP will create a "wrapper" policy set, which will contain this special policy and the "old" policy set with "deny-overrides" policy combying algorithm. Thanks, argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]