[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0
Hi Erik, We do have the deny permission situation such as If you are level 1 support, you can not change the code. ( role=level 1 support, permission= can not do {code, change} ). Could you please provide me some suggestion on how to use RBAC profile of XACML v2.0 to realize the above sematics without using deny effect and deny-overrides? Thanks a lot! Hao Best Regard --- On Tue, 11/4/08, Erik Rissanen <erik@axiomatics.com> wrote: > From: Erik Rissanen <erik@axiomatics.com> > Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0 > To: d95776@yahoo.com > Cc: xacml-users@lists.oasis-open.org > Date: Tuesday, November 4, 2008, 2:20 AM > Hi, > > For 1 and 2, no you should not do this. That might break > the consistency > of the profile design and lead to unexpected results. > > For 3, no, then it's not RBAC anymore. RBAC is based > _only_ on the role > of the subject. There exist extensions for RBAC to handle > all kinds of > other requirements, so you may want to search the academic > literature on > the topic. > > Regards, > Erik > > hao chen wrote: > > Hi, > > > > I appreciate if someone can provide some information > on the following questions regarding RBAC profile of XACML > v2.0 > > > > 1. The examples included in the profile use > policy-combine permit-overrides and rule-combine > permit-overrides for both Role <PolicySet> and > Permission <PolicySet>. Can we use deny-overrides for > both Role <PolicySet> and Permission <PolicySet> > too? > > > > 2. The examples included in the profile set Rule's > effect to permit for both Role <PolicySet> and > Permission <PolicySet>. Can we set Rule's effect > to deny for both Role <PolicySet> and Permission > <PolicySet>? > > > > 3. Can we use subject's attributes (except role) > as conditions in the rule settings of Permission > <PolicySet>? > > > > thanks! > > hao > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > xacml-users-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: > xacml-users-help@lists.oasis-open.org > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > xacml-users-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: > xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]