[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Newbie:Usage of XACML
Hi Stefan. On May 12, 2005, at 5:35 AM, Stefan Brandl wrote: > An external systems want's to get all rights of a certain > person associated with a certain ressource of a certain > provider. As you've noted, XACML expresses access rules, not individual rights. The two are, of course, related. So, you could write your own system to extract this information from the set of Policies, but there is no standard mechanism for saying "here are all the rights this subject has on this resource." > I've seen that XACML replies only "PERMIT, "DENY" ... Correct. > Is there a way to express rights within the Response like > "is able to edit admin information" or "can delete user > information". Well, if the request was "can this user edit admin information" and the result is Permit, then you've expressed "is able to edit admin information." I assume, however, you're looking for something more like a query engine where you start by saying "what are the subject rights for admin information" and the answer comes back "the subject is able to edit admin information." Like I said above, this is not discussed in the standard, but it's something you can extract from policies, and using SAML you can probably pass around the meta-data you need. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]