xacml-users message

Subject: Re: [xacml-users] XACML Profile for RBAC
From: "Muhammad Masoom Alam" <Muhammad.alam@uibk.ac.at>
To: "Kuketayev, Argyn \(Contractor\)" <argyn_kuketayev@fanniemae.com>, <xacml-users@lists.oasis-open.org>
Date: Thu, 9 Jun 2005 19:06:06 +0200
Hi Anne, Argyn,
Now plz check it, i have removed the double policies from RPS , now have a 
look at it ??


(i just got your email while composing mine one, so , Deny Policy is not a
problem at all, i can remove it, it was for to simpfly administration i.e.
if non of the positive permissions return true, dont care about negative
Policy sets ( and seth given this solution on the list). I remove my
negative permission or general Deny Policy, but the problem is still not
solved see this email please .)


so let me tell you the background again.

  A seniour Role inherits a permission from Junior Role "without" the
constraints which are specified for the Junior Role (unless explicitly
specified). (This what i think uptil now)
if we say " A seniour role inherits a permission from Junior Role "with" the
constraints which are specified for the Junior Role, then for simple
constraints e.g. Date, Time values, it makes sence, but it doesnot make
sence for the constraints explictly specified only for the Junior Role.
(Agreed ??)
My Role Policy Set  (Argyn , its the same as profile only a reference to
negative policy is included plus a general Deny Policy to enforce the
perority of Negative Permissions ok?)

<PolicySet PolicySetId="RPS:managerRole" Combining Algorithm =
"deny-overrides">
            <PolicySet Combining Algorithm = "permit-overrides">
                    <PolicySetIdReference>PPPS:managerRole</PolicySetIdReference>

            </PolicySet>
           <Target>
                Role Definition
            </Target>
          </PolicySet>


                                                        First Permission
Policy set for managerRole

<PolicySet PolicySetId="PPPS:managerRole" Combining Algorithm =
"permit-overrides">
    <Policy Combining Algorithm = "permit-overrides"  PolicyId =
"Permissions:for:Role:managerRole"
            <Rule Effect="Permit">
                       <Condition>
                            A Simple Authorization Constraint based on
time/date
                        </Condition>
                </Rule>
<PolicySetIdReference>PPPS:employeeRole</PolicySetIdReference>
</PolicySet>

                                                                2nd PPS for
employee:

<PolicySet PolicySetId="PPPS:employeeRole" Combining Algorithm =
"permit-overrides">
    <Policy Combining Algorithm = "permit-overrides"  PolicyId =
"Permissions:for:Role:employeeRole"
            <Rule Effect="Permit">
                       <Condition>
                            Complex Authorization Constraint based on some
Attributes from Database for the Role Employee only.
                        </Condition>
                </Rule>
 </PolicySet>

Now , considor that, the Authorizaiton constraint specified in the
"PPPS:employeeRole" is not a simple authorization constraint, i means which
refers to some database values, for employeeRole only, now as there is no
Target (stated by RBAC Profile) in line 194-197
 what will be the result of this rule, as ManagerRole doesnot possess the
attributes specfied in the Authorizaiton constraint of the
"PPPS:EmployeeRole" , if the result  is NotApplicable,  the behaviour is not
consistent with the Profile.
If the result is not applicable : "Does we have to put some Rules again in
the PPS  (of the junior Role) to mention that if non of the rules are
applicable then the result will be Permit (since seniour role inherits the
permissions of the junior role" otherwise, if we dont put any rule
explicitly, the problem  that, there is a general DenyPolicy (see above RPS)
in the RPS, which will make the whole result deny if the result is
Deny/NotApplicable.


            My Propsed solution :


e.g.
<PolicySet PolicySetId="PPPS:employeeRole" Combining Algorithm =
"permit-overrides">
    <Policy Combining Algorithm = "permit-overrides"  PolicyId =
"Permissions:for:Role:employeeRole"
    <Rule id="1" Effect = "Permit">
     <Target>
             Role Name (of the seniour Role e.g. ManagerRole)
      </Target>
    </Rule>
            <Rule id="2" Effect="Permit">
                       <Condition>
                           Complex Authorization Constraint based on some
Attributes from Database for the Role Employee only.
                        </Condition>
                </Rule>
</PolicySet>



Now rule is for all the senior Roles, n Rule is only for Employee Role ??

make sence ??

regards
Muhammad.



---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
References:
- RE: [xacml-users] XACML Profile for RBAC
  - From: "Kuketayev, Argyn \(Contractor\)" <argyn_kuketayev@fanniemae.com>