OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0

Hi Erik,

We do have the deny permission situation such as
If you are level 1 support, you can not change the code. ( role=level 1 support, permission= can not do {code, change} ).

Could you please provide me some suggestion on how to use RBAC profile of XACML v2.0 to realize the above sematics without using deny effect and deny-overrides?

Thanks a lot!

Hao

Best Regard


--- On Tue, 11/4/08, Erik Rissanen <erik@axiomatics.com> wrote:

> From: Erik Rissanen <erik@axiomatics.com>
> Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0
> To: d95776@yahoo.com
> Cc: xacml-users@lists.oasis-open.org
> Date: Tuesday, November 4, 2008, 2:20 AM
> Hi,
> 
> For 1 and 2, no you should not do this. That might break
> the consistency 
> of the profile design and lead to unexpected results.
> 
> For 3, no, then it's not RBAC anymore. RBAC is based
> _only_ on the role 
> of the subject. There exist extensions for RBAC to handle
> all kinds of 
> other requirements, so you may want to search the academic
> literature on 
> the topic.
> 
> Regards,
> Erik
> 
> hao chen wrote:
> > Hi,
> >
> > I appreciate if someone can provide some information
> on the following questions regarding RBAC profile of XACML
> v2.0
> >
> > 1. The examples included in the profile use
> policy-combine permit-overrides and rule-combine
> permit-overrides for both Role <PolicySet> and
> Permission <PolicySet>. Can we use deny-overrides for
> both Role <PolicySet> and Permission <PolicySet>
> too?
> >
> > 2. The examples included in the profile set Rule's
> effect to permit for both Role <PolicySet> and
> Permission <PolicySet>. Can we set Rule's effect
> to deny for both Role <PolicySet> and Permission
> <PolicySet>?
> >
> > 3. Can we use subject's attributes (except role)
> as conditions in the rule settings of Permission
> <PolicySet>?
> >
> > thanks!
> > hao
> >
> >
> >
> >
> >       
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org
> >
> >   
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]