OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Newbie:Usage of XACML



Hi Stefan.

On May 12, 2005, at 5:35 AM, Stefan Brandl wrote:
> An external systems want's to get all rights of a certain
> person associated with a certain ressource of a certain
> provider.

As you've noted, XACML expresses access rules, not individual rights. 
The two are, of course, related. So, you could write your own system to 
extract this information from the set of Policies, but there is no 
standard mechanism for saying "here are all the rights this subject has 
on this resource."

> I've seen that XACML replies only "PERMIT, "DENY" ...

Correct.

> Is there a way to express rights within the Response like
> "is able to edit admin information" or "can delete user
> information".

Well, if the request was "can this user edit admin information" and the 
result is Permit, then you've expressed "is able to edit admin 
information." I assume, however, you're looking for something more like 
a query engine where you start by saying "what are the subject rights 
for admin information" and the answer comes back "the subject is able 
to edit admin information." Like I said above, this is not discussed in 
the standard, but it's something you can extract from policies, and 
using SAML you can probably pass around the meta-data you need.



seth



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]