Re: [xacml-users] RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with anexample)

[Anne Anderson <Anne.Anderson@sun.com>]

Muhammad Masoom Alam wrote:
> Specification says: (line no 142 to 144)
> 
> "Permission <PolicySet> or PPS: a <PolicySet> that contains the actual 
> permissions associated
> with a given role. It contains <Policy> elements and <Rules> that 
> describe the resources and
> actions that subjects are permitted to access, along with any further 
> conditions on that access, such
> as time of day. A given Permission <PolicySet> may also contain 
> references to Permission"
> 
> what does then the above sentences means at all ?
> 
> if we can specify a condition on date/time then we can specify some 
> other condition as well.

And that other condition must be satisfied by the requester in order for 
the Permission to be granted.  If the requester does not satisfy the 
condition (because it is a database Attribute that only a direct holder 
of the "Employee" role can obtain a value for), then the requester will 
not and should not get that permission.  If you want the requester to 
get that Permission via some other route other than by inheritance of 
the "Employee" role permissions AND the associated condition, then you 
will need to state this Permission in the senior role's Permission 
PolicySet.

> if you say, that it is not the best place to specify it, plz guide me 
> where i shall put constraints.

If you want to give a permission to perform action X on resource Y to 
Role Junior only if f(Role Junior attributes) is "true", AND you want to 
give permission to perform action X on resource Y without those 
constraints to Role Senior, which happens to inherit permissions from 
Role Junior, then you need to include a rule in the Role Senior 
Permission PolicySet that gives permission to perform action X on 
resource Y (without any such constraints).

> Dont you think so , specificaiton are inconsistent ?????????

This is not inconsistent with the specification, and the specification
(and the ANSI RBAC model) remain useful for managing role permissions where
permissions and their associated constraints are inherited.  If you 
don't agree
then I think your problem is that your use case is not compatible with 
RBAC, not that RBAC is useless.

Regards,
Anne

> 
> regards
> Muhammad.
> 
> 
> 
> 
> 
> 
> ----- Original Message ----- From: "Kuketayev, Argyn (Contractor)" 
> <argyn_kuketayev@fanniemae.com>
> To: <xacml-users@lists.oasis-open.org>
> Sent: Thursday, June 09, 2005 7:34 PM
> Subject: [xacml-users] RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an 
> example)
> 
> 
> Muhammad
> 
>> -----Original Message-----
>> From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at]
>> Sent: Thursday, June 09, 2005 1:18 PM
>> To: Kuketayev, Argyn (Contractor); xacml-users@lists.oasis-open.org
>> Cc: Seth Proctor; Anne.Anderson@sun.com
>> Subject: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example)
>>
>>
>> Dear Argyn,Anne, Seth,
>>
>>
>>
>>
>> you are not getting my point at all
> 
> 
> Agreed.
> 
>> , the thing is that
>> negative permissions
>> or policies are not a problem at all, the problem is the
>> inheritence of the
>> constraints , i.e. if a constraint is specified for a junior
>> role, does this
>> apply to the senior role as well or not ??
> 
> 
> 
> I think that the issue is that you are trying to put a "constraint" in
> PPS, which is effectively tied to a role. I think that it's "slightly"
> incompatible with RBAC profile. Why? Look at the ch. 1.5, paragraph 2,
> here's excerpt:
> 
> ===
> The <Target> element of a Permission <PolicySet>, if present,
> must not limit the subjects to which the <PolicySet> is applicable.
> ===
> 
> Ok, you are not putting this "constraint" into the target, but still
> your PPS indirectly refers to the subject's role, i.e. limits the
> applicable subjects similarly as if it were in the target. I think that
> one should avoid this type of conditions in PPS.
> 
> Thanks,
> Argyn
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA