[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0
I don't think that you can do that. It's a limitation in the RBAC model on which the profile is based. It's not a problem with the profile itself. Regards, Erik hao chen wrote: > Hi Erik, > > We do have the deny permission situation such as > If you are level 1 support, you can not change the code. ( role=level 1 support, permission= can not do {code, change} ). > > Could you please provide me some suggestion on how to use RBAC profile of XACML v2.0 to realize the above sematics without using deny effect and deny-overrides? > > Thanks a lot! > > Hao > > Best Regard > > > --- On Tue, 11/4/08, Erik Rissanen <erik@axiomatics.com> wrote: > > >> From: Erik Rissanen <erik@axiomatics.com> >> Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0 >> To: d95776@yahoo.com >> Cc: xacml-users@lists.oasis-open.org >> Date: Tuesday, November 4, 2008, 2:20 AM >> Hi, >> >> For 1 and 2, no you should not do this. That might break >> the consistency >> of the profile design and lead to unexpected results. >> >> For 3, no, then it's not RBAC anymore. RBAC is based >> _only_ on the role >> of the subject. There exist extensions for RBAC to handle >> all kinds of >> other requirements, so you may want to search the academic >> literature on >> the topic. >> >> Regards, >> Erik >> >> hao chen wrote: >> >>> Hi, >>> >>> I appreciate if someone can provide some information >>> >> on the following questions regarding RBAC profile of XACML >> v2.0 >> >>> 1. The examples included in the profile use >>> >> policy-combine permit-overrides and rule-combine >> permit-overrides for both Role <PolicySet> and >> Permission <PolicySet>. Can we use deny-overrides for >> both Role <PolicySet> and Permission <PolicySet> >> too? >> >>> 2. The examples included in the profile set Rule's >>> >> effect to permit for both Role <PolicySet> and >> Permission <PolicySet>. Can we set Rule's effect >> to deny for both Role <PolicySet> and Permission >> <PolicySet>? >> >>> 3. Can we use subject's attributes (except role) >>> >> as conditions in the rule settings of Permission >> <PolicySet>? >> >>> thanks! >>> hao >>> >>> >>> >>> >>> >>> >>> >>> >> --------------------------------------------------------------------- >> >>> To unsubscribe, e-mail: >>> >> xacml-users-unsubscribe@lists.oasis-open.org >> >>> For additional commands, e-mail: >>> >> xacml-users-help@lists.oasis-open.org >> >>> >>> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> xacml-users-unsubscribe@lists.oasis-open.org >> For additional commands, e-mail: >> xacml-users-help@lists.oasis-open.org >> > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]