[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example)
Muhammad > -----Original Message----- > From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] > Sent: Thursday, June 09, 2005 1:18 PM > To: Kuketayev, Argyn (Contractor); xacml-users@lists.oasis-open.org > Cc: Seth Proctor; Anne.Anderson@sun.com > Subject: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example) > > > Dear Argyn,Anne, Seth, > > > > > you are not getting my point at all Agreed. >, the thing is that > negative permissions > or policies are not a problem at all, the problem is the > inheritence of the > constraints , i.e. if a constraint is specified for a junior > role, does this > apply to the senior role as well or not ?? I think that the issue is that you are trying to put a "constraint" in PPS, which is effectively tied to a role. I think that it's "slightly" incompatible with RBAC profile. Why? Look at the ch. 1.5, paragraph 2, here's excerpt: === The <Target> element of a Permission <PolicySet>, if present, must not limit the subjects to which the <PolicySet> is applicable. === Ok, you are not putting this "constraint" into the target, but still your PPS indirectly refers to the subject's role, i.e. limits the applicable subjects similarly as if it were in the target. I think that one should avoid this type of conditions in PPS. Thanks, Argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]