OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [sunxacml-discuss] RBAC Profile for XACML


The Bottom line which i am concluding is that :

"A Seniour Role will inherit all permissions from its Junior Role  without any constraints unless and until explicitly specified"

so a the PPS of the Juniour Role e.g. shall have for Seniour Role

<PolicySet PolicySetId="PPPS:employeeRole" Combining Algorithm = "permit-overrides">


    <Policy Combining Algorithm = "permit-overrides"  PolicyId = "Permissions:for:Role:employeeRole"


    <Rule Effect = "Permit">

     <Target>

             Role Name (of the seniour Role e.g. ManagerRole)

      </Target>

    </Rule>

            <Rule Effect="Permit">

                       <Condition>

                            Complex Authorization Constraint based on some Attributes from Database for the Role Employee only.

                        </Condition>

                </Rule>


 

</PolicySet>


make sence. ??

regards
Muhammad.



  ----- Original Message ----- 
  From: Muhammad Masoom Alam 
  To: Seth Proctor ; xacml-dev@lists.oasis-open.org ; sunxacml-discuss@lists.sourceforge.net ; xacml-users@lists.oasis-open.org 
  Cc: Seth Proctor 
  Sent: Thursday, June 09, 2005 10:46 AM
  Subject: Re: [sunxacml-discuss] RBAC Profile for XACML


  The example given in XACML Profile for RBAC is very simple e.g. 
"According to this profile, there will also be two Role <PolicySet> instances: one for the manager roleand one for the employee role. The manager Role <PolicySet> will contain a <Target> requiringthat the Subject hold a &role; Attribute with a value of "&roles;manager". It will reference themanager Permission <PolicySet>. The employee Role <PolicySet> will contain a <Target>requiring that the Subject hold a &role; Attribute with a value of "&roles;employee". It willreference the employee Permission <PolicySet>." Now , very simple permissions are associated in conditions in the corresponding Permission Policy Sets. Suppose, if there is permission policy set with the following contents : RPS:  <PolicySet PolicySetId="RPS:managerRole" Combining Algorithm = "deny-overrides">             <PolicySet Combining Algorithm = "permit-overrides">                     <PolicySetIdReference>PPPS:managerA</PolicySetIdReference>                     <PolicySetIdReference>DenyPolicy</PolicySetIdReference>             </PolicySet>              <Target>                 Role Definition             </Target>                     <PolicySetIdReference>NPPS:managerA</PolicySetIdReference>   </PolicySet>   PPS for manager         <PolicySet PolicySetId="PPPS:managerRole" Combining Algorithm = "permit-overrides">    <Policy Combining Algorithm = "permit-overrides"  PolicyId = "Permissions:for:Role:managerRole"            <Rule Effect="Permit">                       <Condition>                            A Simple Authorization Constraint                        </Condition>                </Rule> <PolicySetIdReference>PPPS:employeeRole</PolicySetIdReference></PolicySet>  PPS for employee: <PolicySet PolicySetId="PPPS:employeeRole" Combining Algorithm = "permit-overrides">    <Policy Combining Algorithm = "permit-overrides"  PolicyId = "Permissions:for:Role:employeeRole"            <Rule Effect="Permit">                       <Condition>                            Complex Authorization Constraint based on some Attributes from Database for the Role Employee only.                        </Condition>                </Rule> </PolicySet> Now , considor that, the Authorizaiton constraint specified in the "PPPS:employeeRole" is not a simple authorization constraint, i means which refers to some database values, for employeeRole, now as there is no Target (stated by RBAC Profile) in line 194-197

  "A given Permission <PolicySet> may also contain references to Permission

  <PolicySet>s associated with other roles that are junior to the given role, thereby allowing the

  given Permission <PolicySet> to inherit all permissions associated with the role of the referenced

  Permission <PolicySet>. The <Target> element of a Permission <PolicySet>, if present,

  must not limit the subjects to which the <PolicySet> is applicable."


  , what will be the result of this rule, as ManagerRole doesnot possess the attributes specfied in the Authorizaiton constraint of the "PPPS:EmployeeRole" , if the result  is NotApplicable,  the behaviour is not consistent with the Profile.

  If the result is not applicable : "Does we have to put some Rules again in the PPS  (of the junior Role) to mention that if non of the rules are applicable then the result will be Permit (since seniour role inherits the permissions of the junior role" otherwise, if we dont put any rule explicitly, the problem (as i stated in my previous email ) that, there is a general DenyPolicy in the RPS, which will make the whole result deny if the result is Deny/NotApplicable.


  makes sence. ??

  regards
  Muhammad.
























  ----- Original Message ----- 
  From: "Muhammad Masoom Alam" <Muhammad.alam@uibk.ac.at>
  To: "Seth Proctor" <Seth.Proctor@sun.com>; <xacml-dev@lists.oasis-open.org>; <sunxacml-discuss@lists.sourceforge.net>; <xacml-users@lists.oasis-open.org>
  Cc: "Seth Proctor" <Seth.Proctor@sun.com>
  Sent: Thursday, June 09, 2005 9:56 AM
  Subject: [sunxacml-discuss] RBAC Profile for XACML


  > Hi Seth and all,
  > 
  > i am stuck again into XACML profile for RBAC.
  > 
  >  According to RBAC, we have RPS (Role Policy Set) and PPPS (Permission 
  > Policy Set) Where, RPS contains the role definition (RoleName) and 
  > references to PPPS and PPPS contains the actual permission with a rule (if 
  > any).
  > Now considor i have a Role A , which have two permissions associated with 
  > it, one is Positive Permission Policy Set(PPPS) and one is 
  > NegativePermission Policy Set (NPPS).
  > 
  > The structure of the Role Policy set is (as you described in one of your 
  > email is ),this is some simplified XACML.
  > 
  > 
  >  <PolicySet PolicySetId="RPS:RoleA" Combining Algorithm = "deny-overrides">
  > 
  >            <PolicySet Combining Algorithm = "permit-overrides">
  > 
  >                    <PolicySetIdReference>PPPS:RoleA</PolicySetIdReference>
  > 
  >                    <PolicySetIdReference>DenyPolicy</PolicySetIdReference>
  > 
  >            </PolicySet>
  > 
  > 
  >            <Target>
  > 
  >                Role Definition
  > 
  >            </Target>
  > 
  >                    <PolicySetIdReference>NPPS:RoleA</PolicySetIdReference>
  > 
  > 
  > </PolicySet>
  > 
  > 
  > now considor RoleA inherits from RoleB some  permissions , there fore, the 
  > PPPS:RoleA will contains a reference to the PPPS of RoleB (i.e. PPPS:RoleB).
  > if generally, there is no rule applicable to RoleA in the PPPS of RoleB, a 
  > general "DenyPolicy" (from the Role Policy Set) will be applicable which is 
  > not a right behaviour, since RoleA inherits from RoleB, and if there is no 
  > rule applicable in the inherited Role permission policy set (PPPS:RoleB), it 
  > shall give permit (if NPPS:RoleA is not applicable or gives true).
  > 
  > 
  > am i right ??
  > if yes, what can be the other solutions.
  > 
  > 
  > regards
  > Muhammad.
  > 
  > 
  > 
  > 
  > 
  > -------------------------------------------------------
  > This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
  > a projector? How fast can you ride your desk chair down the office luge track?
  > If you want to score the big prize, get to know the little guy.  
  > Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
  > _______________________________________________
  > sunxacml-discuss mailing list
  > sunxacml-discuss@lists.sourceforge.net
  > https://lists.sourceforge.net/lists/listinfo/sunxacml-discuss
  > 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]