[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Addendum: Re: Hierarchical resources policy and request file
Hi Anne, I am using Sun's XACML 1.1 Implementation. Hierarchical resource profile, I believe is part of XACML 2.0 implenmentation. Will your solution work with XACML 1.1 implementation ? Do you strongly recommend me using XACML 2.0 ? I still writing an alternative way in a notepad.I will send once i have it thought through. Thanks, Dhirendra Sharma --- Anne Anderson <Anne.Anderson@sun.com> wrote: > Dhirendra, > > I omitted your "ABC-Read" roles from my examples by > mistake. The > simplest, if you really want to use "role" IDs like > "ABC-Read", would be > to define the value of the "resource-id" in the > Request as the requested > "role" - i.e. if the Subject wants to "read" company > "ABC", then the > resource-id will be "ABC-read". Assume the > subsidiaries of ABC are DEF > and GHI. The Context Handler then returns > "ABC-read", "DEF-read", and > "GHI-read" when asked for the AttributeId > "...:resource-ancestor-or-self" if the > "...:resource-id" is "ABC-read". > > I tried to stay close to what you actually asked > for, but I don't think > what you described would be very useful. You > probably want to control > access to resources at a company and its > subsidiaries, not "reading" the > company itself. If so, then you might want to use > the Role Based Access > Control Profile > (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf), > > and have Subject role values that correspond to the > highest level > *company* to which the Subject belongs. Then use > Hierarchical > Permission <PolicySet>s to give a Subject in each > role appropriate > action-id and resource-id rights. Don't mix > action-id and resource-id > into the role value itself. > > Regards, > Anne > > dhirendra sharma wrote: > > > Hi, > > > > We need to specify the policy for the below : > > 1). A user should be able to "read" a compnay > > (Example: ABC Inc) provided > > he has - "ABC-Read" role and should have "ABC > Inc" > > as the company attribute value in his profile > > > > 2). A user should be able to "read" a company > > (Example: ABC ) and any its of subsidiaries > provided > > he has - "ABC-Read" role and should have "ABC > Inc" > > or any of its subsidiaries as the > > company attribute value in his profile > > > > The request could be made giving company id which > > could fall anywhere in the subsidiary hierarchy > and we > > need to get a response > > whether user is authorized or not. > > > > Can someone suggest - policy file and request > XML > > for this ? > > > > > > > > > > Thanks, > > Dhirendra Sharma > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > > > --------------------------------------------------------------------- > > This publicly archived list supports open > discussion on using the > > XACML OASIS Standard. To minimize spam in the > archives, you > > must subscribe before posting. > > > > [Un]Subscribe/change address: > http://www.oasis-open.org/mlmanage/ > > Alternately, using email: > list-[un]subscribe@lists.oasis-open.org > > List archives: > http://lists.oasis-open.org/archives/xacml-users/ > > Committee homepage: > http://www.oasis-open.org/committees/xacml/ > > List Guidelines: > http://www.oasis-open.org/maillists/guidelines.php > > Join OASIS: http://www.oasis-open.org/join/ > > > > -- > Anne H. Anderson Anne.Anderson@sun.com > Sun Microsystems Labs 1-781-442-0928 > Burlington, MA USA > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]