OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0


I don't think that you can do that. It's a limitation in the RBAC model 
on which the profile is based. It's not a problem with the profile itself.

Regards,
Erik

hao chen wrote:
> Hi Erik,
>
> We do have the deny permission situation such as
> If you are level 1 support, you can not change the code. ( role=level 1 support, permission= can not do {code, change} ).
>
> Could you please provide me some suggestion on how to use RBAC profile of XACML v2.0 to realize the above sematics without using deny effect and deny-overrides?
>
> Thanks a lot!
>
> Hao
>
> Best Regard
>
>
> --- On Tue, 11/4/08, Erik Rissanen <erik@axiomatics.com> wrote:
>
>   
>> From: Erik Rissanen <erik@axiomatics.com>
>> Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0
>> To: d95776@yahoo.com
>> Cc: xacml-users@lists.oasis-open.org
>> Date: Tuesday, November 4, 2008, 2:20 AM
>> Hi,
>>
>> For 1 and 2, no you should not do this. That might break
>> the consistency 
>> of the profile design and lead to unexpected results.
>>
>> For 3, no, then it's not RBAC anymore. RBAC is based
>> _only_ on the role 
>> of the subject. There exist extensions for RBAC to handle
>> all kinds of 
>> other requirements, so you may want to search the academic
>> literature on 
>> the topic.
>>
>> Regards,
>> Erik
>>
>> hao chen wrote:
>>     
>>> Hi,
>>>
>>> I appreciate if someone can provide some information
>>>       
>> on the following questions regarding RBAC profile of XACML
>> v2.0
>>     
>>> 1. The examples included in the profile use
>>>       
>> policy-combine permit-overrides and rule-combine
>> permit-overrides for both Role <PolicySet> and
>> Permission <PolicySet>. Can we use deny-overrides for
>> both Role <PolicySet> and Permission <PolicySet>
>> too?
>>     
>>> 2. The examples included in the profile set Rule's
>>>       
>> effect to permit for both Role <PolicySet> and
>> Permission <PolicySet>. Can we set Rule's effect
>> to deny for both Role <PolicySet> and Permission
>> <PolicySet>?
>>     
>>> 3. Can we use subject's attributes (except role)
>>>       
>> as conditions in the rule settings of Permission
>> <PolicySet>?
>>     
>>> thanks!
>>> hao
>>>
>>>
>>>
>>>
>>>       
>>>
>>>
>>>       
>> ---------------------------------------------------------------------
>>     
>>> To unsubscribe, e-mail:
>>>       
>> xacml-users-unsubscribe@lists.oasis-open.org
>>     
>>> For additional commands, e-mail:
>>>       
>> xacml-users-help@lists.oasis-open.org
>>     
>>>   
>>>       
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> xacml-users-unsubscribe@lists.oasis-open.org
>> For additional commands, e-mail:
>> xacml-users-help@lists.oasis-open.org
>>     
>
>
>       
>   



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]