[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0
Hi Erik,
I have another question regarding RBAC profile of XACML v2.0.
In BRAC profile of XACML v2.0, it defines HasPrivilegesOfRole <Policy> that supports requests asking whether a subject has the privileges associated with a given role. The sematics of the policy is not clear to me. Does it answer the question such as:
1) Does a subject has a permission of a role A?
or
2) If a subject has a senior role S, Does the subject has a permission of a junior role A?
I reviewed the examples included in the profile for HasPrivilegesOfRole. The HasPrivilegesOfRole request examples only tells the subject has a Id called Anne. How does PDP follow the hierarchical role chaining and
give the correct result?
I do not think the policy could answer the question 1).
If the policy tries to answer the question 2), then the request has to provide some senio role and ask if the subject has some junior role or the policy must define subject match rules against subject's attributes such that the request must provide the required subject's attribute to ask if the subject has the permission of a role.
I think the HasPrivilegesOfRole <Policy> needs to be clarified more on the profile.
Could you please help me to understand the policy better?
thanks a lot.
hao
--- On Tue, 11/4/08, Erik Rissanen <erik@axiomatics.com> wrote:
> From: Erik Rissanen <erik@axiomatics.com>
> Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0
> To: d95776@yahoo.com
> Cc: xacml-users@lists.oasis-open.org
> Date: Tuesday, November 4, 2008, 7:28 AM
> I don't think that you can do that. It's a
> limitation in the RBAC model on which the profile is based.
> It's not a problem with the profile itself.
>
> Regards,
> Erik
>
> hao chen wrote:
> > Hi Erik,
> >
> > We do have the deny permission situation such as
> > If you are level 1 support, you can not change the
> code. ( role=level 1 support, permission= can not do {code,
> change} ).
> >
> > Could you please provide me some suggestion on how to
> use RBAC profile of XACML v2.0 to realize the above sematics
> without using deny effect and deny-overrides?
> >
> > Thanks a lot!
> >
> > Hao
> >
> > Best Regard
> >
> >
> > --- On Tue, 11/4/08, Erik Rissanen
> <erik@axiomatics.com> wrote:
> >
> >
> >> From: Erik Rissanen <erik@axiomatics.com>
> >> Subject: Re: [xacml-users] questions on RBAC
> profile of XACML v2.0
> >> To: d95776@yahoo.com
> >> Cc: xacml-users@lists.oasis-open.org
> >> Date: Tuesday, November 4, 2008, 2:20 AM
> >> Hi,
> >>
> >> For 1 and 2, no you should not do this. That might
> break
> >> the consistency of the profile design and lead to
> unexpected results.
> >>
> >> For 3, no, then it's not RBAC anymore. RBAC is
> based
> >> _only_ on the role of the subject. There exist
> extensions for RBAC to handle
> >> all kinds of other requirements, so you may want
> to search the academic
> >> literature on the topic.
> >>
> >> Regards,
> >> Erik
> >>
> >> hao chen wrote:
> >>
> >>> Hi,
> >>>
> >>> I appreciate if someone can provide some
> information
> >>>
> >> on the following questions regarding RBAC profile
> of XACML
> >> v2.0
> >>
> >>> 1. The examples included in the profile use
> >>>
> >> policy-combine permit-overrides and rule-combine
> >> permit-overrides for both Role <PolicySet>
> and
> >> Permission <PolicySet>. Can we use
> deny-overrides for
> >> both Role <PolicySet> and Permission
> <PolicySet>
> >> too?
> >>
> >>> 2. The examples included in the profile set
> Rule's
> >>>
> >> effect to permit for both Role <PolicySet>
> and
> >> Permission <PolicySet>. Can we set
> Rule's effect
> >> to deny for both Role <PolicySet> and
> Permission
> >> <PolicySet>?
> >>
> >>> 3. Can we use subject's attributes (except
> role)
> >>>
> >> as conditions in the rule settings of Permission
> >> <PolicySet>?
> >>
> >>> thanks!
> >>> hao
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> ---------------------------------------------------------------------
> >>
> >>> To unsubscribe, e-mail:
> >>>
> >> xacml-users-unsubscribe@lists.oasis-open.org
> >>
> >>> For additional commands, e-mail:
> >>>
> >> xacml-users-help@lists.oasis-open.org
> >>
> >>>
> >>
> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail:
> >> xacml-users-unsubscribe@lists.oasis-open.org
> >> For additional commands, e-mail:
> >> xacml-users-help@lists.oasis-open.org
> >>
> >
> >
> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]