[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Re: Addendum: Re: Hierarchical resources policy andrequest file
The XACML Role Based Access Control profile works with any release of XACML, although the examples in the specification are written using XACML 2.0 syntax. The specification describes the minor changes needed to convert the examples to 1.0/1.1 in the second paragraph of Section 2. I don't know of any out-of-the-box implementation of the RBAC Profile for any release of XACML yet, however; all the ones I've heard about are proprietary. What is required is a PolicyFinderModule that will never initially match a Requests against a "Permission <PolicySet>", but will use "Permission <PolicySet>s" only when referenced directly or indirectly from a "Role <PolicySet>". With XACML 2.0 it might be possible to use VariableDef/Ref to implement the functionality of the "Permission <PolicySet>"s in a single top-level PolicySet, but I haven't thought this through. The idea is that the "Role <PolicySet>" elements would use VariableRefs instead of references to "Permission <PolicySet>"s, where the corresponding VariableDefs contain what would have been in the "Permission <PolicySet>"s. Regards, Anne dhirendra sharma wrote: > Hi Anne, > > I am using Sun's XACML 1.1 Implementation. > Hierarchical resource profile, I believe is part of > XACML 2.0 implenmentation. > Will your solution work with XACML 1.1 implementation > ? > > Do you strongly recommend me using XACML 2.0 ? > > I still writing an alternative way in a notepad.I will > send once i have it thought through. > > Thanks, > Dhirendra Sharma > > > > --- Anne Anderson <Anne.Anderson@sun.com> wrote: > > >>Dhirendra, >> >>I omitted your "ABC-Read" roles from my examples by >>mistake. The >>simplest, if you really want to use "role" IDs like >>"ABC-Read", would be >>to define the value of the "resource-id" in the >>Request as the requested >>"role" - i.e. if the Subject wants to "read" company >>"ABC", then the >>resource-id will be "ABC-read". Assume the >>subsidiaries of ABC are DEF >>and GHI. The Context Handler then returns >>"ABC-read", "DEF-read", and >>"GHI-read" when asked for the AttributeId >>"...:resource-ancestor-or-self" if the >>"...:resource-id" is "ABC-read". >> >>I tried to stay close to what you actually asked >>for, but I don't think >>what you described would be very useful. You >>probably want to control >>access to resources at a company and its >>subsidiaries, not "reading" the >>company itself. If so, then you might want to use >>the Role Based Access >>Control Profile >> > > (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf), > >>and have Subject role values that correspond to the >>highest level >>*company* to which the Subject belongs. Then use >>Hierarchical >>Permission <PolicySet>s to give a Subject in each >>role appropriate >>action-id and resource-id rights. Don't mix >>action-id and resource-id >>into the role value itself. >> >>Regards, >>Anne >> >>dhirendra sharma wrote: >> >> >>>Hi, >>> >>> We need to specify the policy for the below : >>> 1). A user should be able to "read" a compnay >>>(Example: ABC Inc) provided >>> he has - "ABC-Read" role and should have "ABC >> >>Inc" >> >>>as the company attribute value in his profile >>> >>> 2). A user should be able to "read" a company >>>(Example: ABC ) and any its of subsidiaries >> >>provided >> >>> he has - "ABC-Read" role and should have "ABC >> >>Inc" >> >>>or any of its subsidiaries as the >>> company attribute value in his profile >>> >>> The request could be made giving company id which >>>could fall anywhere in the subsidiary hierarchy >> >>and we >> >>>need to get a response >>>whether user is authorized or not. >>> >>> Can someone suggest - policy file and request >> >>XML >> >>>for this ? >>> >>> >>> >>> >>>Thanks, >>>Dhirendra Sharma >>> >>> >>>__________________________________________________ >>>Do You Yahoo!? >>>Tired of spam? Yahoo! Mail has the best spam >> >>protection around >> >>>http://mail.yahoo.com >>> >>> >> > --------------------------------------------------------------------- > >>>This publicly archived list supports open >> >>discussion on using the >> >>>XACML OASIS Standard. To minimize spam in the >> >>archives, you >> >>>must subscribe before posting. >>> >>>[Un]Subscribe/change address: >> >>http://www.oasis-open.org/mlmanage/ >> >>>Alternately, using email: >> >>list-[un]subscribe@lists.oasis-open.org >> >>>List archives: >> >>http://lists.oasis-open.org/archives/xacml-users/ >> >>>Committee homepage: >> >>http://www.oasis-open.org/committees/xacml/ >> >>>List Guidelines: >> >>http://www.oasis-open.org/maillists/guidelines.php >> >>>Join OASIS: http://www.oasis-open.org/join/ >>> >> >>-- >>Anne H. Anderson Anne.Anderson@sun.com >>Sun Microsystems Labs 1-781-442-0928 >>Burlington, MA USA >> > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on using the > XACML OASIS Standard. To minimize spam in the archives, you > must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]subscribe@lists.oasis-open.org > List archives: http://lists.oasis-open.org/archives/xacml-users/ > Committee homepage: http://www.oasis-open.org/committees/xacml/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]