[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with anexample)
Muhammad Masoom Alam wrote: > Specification says: (line no 142 to 144) > > "Permission <PolicySet> or PPS: a <PolicySet> that contains the actual > permissions associated > with a given role. It contains <Policy> elements and <Rules> that > describe the resources and > actions that subjects are permitted to access, along with any further > conditions on that access, such > as time of day. A given Permission <PolicySet> may also contain > references to Permission" > > what does then the above sentences means at all ? > > if we can specify a condition on date/time then we can specify some > other condition as well. And that other condition must be satisfied by the requester in order for the Permission to be granted. If the requester does not satisfy the condition (because it is a database Attribute that only a direct holder of the "Employee" role can obtain a value for), then the requester will not and should not get that permission. If you want the requester to get that Permission via some other route other than by inheritance of the "Employee" role permissions AND the associated condition, then you will need to state this Permission in the senior role's Permission PolicySet. > if you say, that it is not the best place to specify it, plz guide me > where i shall put constraints. If you want to give a permission to perform action X on resource Y to Role Junior only if f(Role Junior attributes) is "true", AND you want to give permission to perform action X on resource Y without those constraints to Role Senior, which happens to inherit permissions from Role Junior, then you need to include a rule in the Role Senior Permission PolicySet that gives permission to perform action X on resource Y (without any such constraints). > Dont you think so , specificaiton are inconsistent ????????? This is not inconsistent with the specification, and the specification (and the ANSI RBAC model) remain useful for managing role permissions where permissions and their associated constraints are inherited. If you don't agree then I think your problem is that your use case is not compatible with RBAC, not that RBAC is useless. Regards, Anne > > regards > Muhammad. > > > > > > > ----- Original Message ----- From: "Kuketayev, Argyn (Contractor)" > <argyn_kuketayev@fanniemae.com> > To: <xacml-users@lists.oasis-open.org> > Sent: Thursday, June 09, 2005 7:34 PM > Subject: [xacml-users] RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an > example) > > > Muhammad > >> -----Original Message----- >> From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] >> Sent: Thursday, June 09, 2005 1:18 PM >> To: Kuketayev, Argyn (Contractor); xacml-users@lists.oasis-open.org >> Cc: Seth Proctor; Anne.Anderson@sun.com >> Subject: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example) >> >> >> Dear Argyn,Anne, Seth, >> >> >> >> >> you are not getting my point at all > > > Agreed. > >> , the thing is that >> negative permissions >> or policies are not a problem at all, the problem is the >> inheritence of the >> constraints , i.e. if a constraint is specified for a junior >> role, does this >> apply to the senior role as well or not ?? > > > > I think that the issue is that you are trying to put a "constraint" in > PPS, which is effectively tied to a role. I think that it's "slightly" > incompatible with RBAC profile. Why? Look at the ch. 1.5, paragraph 2, > here's excerpt: > > === > The <Target> element of a Permission <PolicySet>, if present, > must not limit the subjects to which the <PolicySet> is applicable. > === > > Ok, you are not putting this "constraint" into the target, but still > your PPS indirectly refers to the subject's role, i.e. limits the > applicable subjects similarly as if it were in the target. I think that > one should avoid this type of conditions in PPS. > > Thanks, > Argyn > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org > -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]