Re: [xacml-users] RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example)

["Muhammad Masoom Alam" <Muhammad.alam@uibk.ac.at>]

Argyn,

this makes the profile of XACML simply of no use, i mean without 
constraints, or conditions it will not be effective at all.

Specification says: (line no 142 to 144)

"Permission <PolicySet> or PPS: a <PolicySet> that contains the actual 
permissions associated
with a given role. It contains <Policy> elements and <Rules> that describe 
the resources and
actions that subjects are permitted to access, along with any further 
conditions on that access, such
as time of day. A given Permission <PolicySet> may also contain references 
to Permission"

what does then the above sentences means at all ?

if we can specify a condition on date/time then we can specify some other 
condition as well.

if you say, that it is not the best place to specify it, plz guide me where 
i shall put constraints.

Dont you think so , specificaiton are inconsistent ?????????

regards
Muhammad.






----- Original Message ----- 
From: "Kuketayev, Argyn (Contractor)" <argyn_kuketayev@fanniemae.com>
To: <xacml-users@lists.oasis-open.org>
Sent: Thursday, June 09, 2005 7:34 PM
Subject: [xacml-users] RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an 
example)


Muhammad

> -----Original Message-----
> From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at]
> Sent: Thursday, June 09, 2005 1:18 PM
> To: Kuketayev, Argyn (Contractor); xacml-users@lists.oasis-open.org
> Cc: Seth Proctor; Anne.Anderson@sun.com
> Subject: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example)
>
>
> Dear Argyn,Anne, Seth,
>
>
>
>
> you are not getting my point at all

Agreed.

>, the thing is that
> negative permissions
> or policies are not a problem at all, the problem is the
> inheritence of the
> constraints , i.e. if a constraint is specified for a junior
> role, does this
> apply to the senior role as well or not ??


I think that the issue is that you are trying to put a "constraint" in
PPS, which is effectively tied to a role. I think that it's "slightly"
incompatible with RBAC profile. Why? Look at the ch. 1.5, paragraph 2,
here's excerpt:

===
The <Target> element of a Permission <PolicySet>, if present,
must not limit the subjects to which the <PolicySet> is applicable.
===

Ok, you are not putting this "constraint" into the target, but still
your PPS indirectly refers to the subject's role, i.e. limits the
applicable subjects similarly as if it were in the target. I think that
one should avoid this type of conditions in PPS.

Thanks,
Argyn

---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org