[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0
Hi Erik, By using the request example provided in the profile <Request> <Subject> <Attribute AttributeId=”&subject;subject-id” DataType=”&xml;string”> <AttributeValue>Anne</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId=”&role;” DataType=”&xml;anyURI”> <AttributeValue>&roles;manager</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId=”&action;action-id” DataType="&xml;anyURI">&actions;hasPrivilegesOfRole</AttributeValue> </Attribute> </Action> </Request> Could you please go through the steps of how we know if Anne is allowed to act in the given role manager? I could not figure it out since there's no subject information defined in the permission <policySet> at all. Very appreciate your help. hao --- On Tue, 11/4/08, Erik Rissanen <erik@axiomatics.com> wrote: > From: Erik Rissanen <erik@axiomatics.com> > Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0 > To: d95776@yahoo.com > Cc: xacml-users@lists.oasis-open.org > Date: Tuesday, November 4, 2008, 8:30 AM > That questions answers whether the user is allowed to act in > the given role. It works by means of following the policy > references. > > Regards, > Erik > > hao chen wrote: > > Hi Erik, > > > > I have another question regarding RBAC profile of > XACML v2.0. > > > > In BRAC profile of XACML v2.0, it defines > HasPrivilegesOfRole <Policy> that supports requests > asking whether a subject has the privileges associated with > a given role. The sematics of the policy is not clear to me. > Does it answer the question such as: > > 1) Does a subject has a permission of a role A? > > or > > 2) If a subject has a senior role S, Does the subject > has a permission of a junior role A? > > > > I reviewed the examples included in the profile for > HasPrivilegesOfRole. The HasPrivilegesOfRole request > examples only tells the subject has a Id called Anne. How > does PDP follow the hierarchical role chaining and > > give the correct result? > > I do not think the policy could answer the question > 1). > > If the policy tries to answer the question 2), then > the request has to provide some senio role and ask if the > subject has some junior role or the policy must define > subject match rules against subject's attributes such > that the request must provide the required subject's > attribute to ask if the subject has the permission of a > role. > > I think the HasPrivilegesOfRole <Policy> needs > to be clarified more on the profile. > > > > Could you please help me to understand the policy > better? > > > > thanks a lot. > > > > hao > > > > --- On Tue, 11/4/08, Erik Rissanen > <erik@axiomatics.com> wrote: > > > > > >> From: Erik Rissanen <erik@axiomatics.com> > >> Subject: Re: [xacml-users] questions on RBAC > profile of XACML v2.0 > >> To: d95776@yahoo.com > >> Cc: xacml-users@lists.oasis-open.org > >> Date: Tuesday, November 4, 2008, 7:28 AM > >> I don't think that you can do that. It's a > >> limitation in the RBAC model on which the profile > is based. > >> It's not a problem with the profile itself. > >> > >> Regards, > >> Erik > >> > >> hao chen wrote: > >> > >>> Hi Erik, > >>> > >>> We do have the deny permission situation such > as > >>> If you are level 1 support, you can not change > the > >>> > >> code. ( role=level 1 support, permission= can not > do {code, > >> change} ). > >> > >>> Could you please provide me some suggestion on > how to > >>> > >> use RBAC profile of XACML v2.0 to realize the > above sematics > >> without using deny effect and deny-overrides? > >> > >>> Thanks a lot! > >>> > >>> Hao > >>> > >>> Best Regard > >>> > >>> > >>> --- On Tue, 11/4/08, Erik Rissanen > >>> > >> <erik@axiomatics.com> wrote: > >> > >>> > >>>> From: Erik Rissanen > <erik@axiomatics.com> > >>>> Subject: Re: [xacml-users] questions on > RBAC > >>>> > >> profile of XACML v2.0 > >> > >>>> To: d95776@yahoo.com > >>>> Cc: xacml-users@lists.oasis-open.org > >>>> Date: Tuesday, November 4, 2008, 2:20 AM > >>>> Hi, > >>>> > >>>> For 1 and 2, no you should not do this. > That might > >>>> > >> break > >> > >>>> the consistency of the profile design and > lead to > >>>> > >> unexpected results. > >> > >>>> For 3, no, then it's not RBAC anymore. > RBAC is > >>>> > >> based > >> > >>>> _only_ on the role of the subject. There > exist > >>>> > >> extensions for RBAC to handle > >> > >>>> all kinds of other requirements, so you > may want > >>>> > >> to search the academic > >> > >>>> literature on the topic. > >>>> > >>>> Regards, > >>>> Erik > >>>> > >>>> hao chen wrote: > >>>> > >>>>> Hi, > >>>>> > >>>>> I appreciate if someone can provide > some > >>>>> > >> information > >> > >>>>> > >>>> on the following questions regarding RBAC > profile > >>>> > >> of XACML > >> > >>>> v2.0 > >>>> > >>>>> 1. The examples included in the > profile use > >>>>> > >>>> policy-combine permit-overrides and > rule-combine > >>>> permit-overrides for both Role > <PolicySet> > >>>> > >> and > >> > >>>> Permission <PolicySet>. Can we use > >>>> > >> deny-overrides for > >> > >>>> both Role <PolicySet> and Permission > >>>> > >> <PolicySet> > >> > >>>> too? > >>>> > >>>>> 2. The examples included in the > profile set > >>>>> > >> Rule's > >> > >>>>> > >>>> effect to permit for both Role > <PolicySet> > >>>> > >> and > >> > >>>> Permission <PolicySet>. Can we set > >>>> > >> Rule's effect > >> > >>>> to deny for both Role <PolicySet> > and > >>>> > >> Permission > >> > >>>> <PolicySet>? > >>>> > >>>>> 3. Can we use subject's attributes > (except > >>>>> > >> role) > >> > >>>>> > >>>> as conditions in the rule settings of > Permission > >>>> <PolicySet>? > >>>> > >>>>> thanks! > >>>>> hao > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >> > --------------------------------------------------------------------- > >> > >>>> > >>>>> To unsubscribe, e-mail: > >>>>> > >>>> > xacml-users-unsubscribe@lists.oasis-open.org > >>>> > >>>>> For additional commands, e-mail: > >>>>> > >>>> xacml-users-help@lists.oasis-open.org > >>>> > >>>>> > >> > --------------------------------------------------------------------- > >> > >>>> To unsubscribe, e-mail: > >>>> > xacml-users-unsubscribe@lists.oasis-open.org > >>>> For additional commands, e-mail: > >>>> xacml-users-help@lists.oasis-open.org > >>>> > >>> > >>> > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > xacml-users-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: > xacml-users-help@lists.oasis-open.org > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > xacml-users-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: > xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]