OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: group representation and combine algorithm

Hello,

 

I tend to represent groups as an attribute for subject. 

In the request context, all the groups that the subject is member in are
specified as group-id attributes in the subject context.

 

Rules that apply for groups are defined as rule for any-user with the
subject attribute of the group-id.

 

I want that specific rules that apply to specific user override the group
rules. I can achieve that by ordering the specific subject rules before
any-user rules and use first-applicable combining algorithm.

 

However I want my rules to be handled in deny-override algorithm which
contradicts the group handling algorithm.

 

Does anyone has idea how can I do it? Is there any other way to force
user-specific rules to override group rules?

 

Thanks,

Yair

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]