OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: retrieving a list or query filter of resources the caller isauthorized for


Hey,
several months ago I was asked to introduce a powerful rules-engine to
generate authorizations into my current project. I had a look around, found XACML
and decided to try to use it.
The result is an adaptation that is based on the XACML model.
Being able to generate authorizations (spring-security ACL) one of the main
use cases is answering the question:
  What secured resources (of a given type) is the given subject authorized for?
This includes the question what action is allowed for which secured resource.

I did not find a way to solve this problem with XACML itself.

I understand that a PDP decides if a subject is authorized to access a resource in some
way whereas the subject, the resource and the action must be given to the PDP
but in some cases this is just not appropriate in my opinion but I might be wrong;)

One of the basic requirements on the access control management in my current project is to
return a list of ids of secured resources of a certain type to get that list from the
related resource data store. To achieve that with XACML each request to the PDP would
include the complete list of secured resources the caller is interested in and therefore
it is necessary to always have all secured resources around which often might be more than
2000.
In my project I extended the PDP to have access to the domain but this is probably not a solution
in the sense of XACML but how about being able to return a filter which can be used to query
the domain?

Any help on this issue and explanations in case I got something wrong about XACML are welcome.

regards
Ralf
begin:vcard
fn:Ralf Lorenz
n:Lorenz;Ralf
org:T-Systems Multimedia Solutions GmbH;Experience Design & Emerging Technologies
adr:;;Goslarer Ufer 35;Berlin;Berlin;10589;Deutschland
email;internet:ralf.lorenz@mms-dresden.de
title:Senior Software Entwickler
tel;work:+49 (0)30 3497-1920
tel;fax:+49 (0)30 3497-1939
x-mozilla-html:FALSE
url:http://www.t-systems-mms.com
version:2.1
end:vcard



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]