[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] Proposed standard for RBAC. Forwarded message from Anne Anderson.
Carlisle and Hal, Edwin DeSouza pointed me to this proposed "voluntary consensus standard". I did a quick read, and believe there requirements can be met easily with profiles of XACML. Could you try to set up a joint call with the NIST team that is working on this standard to see if we can work together? It does not seem beneficial to the industry to have competing standards for access control. Anne ------- start of forwarded message ------- From: Anne Anderson <Anne.Anderson@sun.com> To: David Ferraiolo <david.ferraiolo@nist.gov>, Rick Kuhn <kuhn@nist.gov>, Ramaswamy Chandramouli <mouli@nist.gov>, John Barkley <jbarkley@nist.gov>, rbac-info@nist.gov Subject: [xacml] Proposed standard for RBAC Date: Tue, 15 Apr 2003 10:40:13 -0400 http://csrc.nist.gov/rbac/ proposes a "voluntary consensus standard for role based access control", available at http://csrc.nist.gov/rbac/rbac-std-ncits.pdf Have you considered building on the OASIS eXtensible Access Control Markup Language (XACML)? This was approved as an OASIS Standard in February of 2003, there are two Open Source implementations available, and it is receiving generally good acceptance by the industry. For more information, see http://www.oasis-open.org/committees/xacml XACML supports the Core RBAC role and permission models quite well: multiple roles per user, multiple users per role, multiple permissions per role, multiple roles per permission, and simultaneous exercise of permissions of multiple roles. XACML does not specify the mechanisms for how role attributes are assigned to users, but supports all the above models. NIST might find it advantageous to develop Core RBAC as a profile of XACML, rather than trying to create yet another language. XACML can also support Hierarchical RBAC ("junior" roles acquire the user membership of their "senior roles". and "senior" roles acquire the permissions of their "juniors") using XACML's mechanism for including one set of policies inside another by reference. NIST again might find it advantageous to profile XACML to support Hierarchical RBAC. I will ask the XACML Co-Chairs, Carlisle Adams (Entrust) and Hal Lockhart (BEA), to see if we can set up a joint conference call to discuss ways of working together. Meanwhile, I expect several XACML members will be reviewing the proposed NIST standard closely to determine whether there are specific requirements that XACML is not currently able to handle. Yours truly, Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ------- end of forwarded message ------- -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]