[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML Profile for Role Based Access Control (RBAC)
Colleagues,
I have re-formatted the RBAC profile as a Committee
Specification, and this new version is attached as a PDF file. I
have cleaned up lots of formatting, spelling, grammar,
etc. errors that were in the working draft.
Three notes, the first of which concerns a change that perhaps
exceeds the bounds of editorial discretion:
1) Section 1.5 Multi-Role Permissions
Previously, this non-normative section said:
"The permissions associated with a given Multi-Role
<PolicySet>, however, may be inherited only by other
multi-role policies that require a superset of the roles
required by the given multi-role policy. This is because
the <Target> of the Role <PermissionSet> associated with the
multi-role policy will screen out any Subject that does not
possess at least the set of roles required by the given
multi-role policy."
During my close edit reading, I realized that this statement
is incorrect and also conflicts with the rest of the document;
it assumed that the other role would include the multi-role
Role <PolicySet>, which include the role-restricting Target,
rather than the multi-role Permission <PolicySet>, which
contains an "any" Target. Elsewhere, the text is very clear
that to include the permissions of another role, you include
that role's Permission <PolicySet>, not that role's Role
<PolicySet>.
I have reworded this to say:
"The permissions associated with a given multi-role <PolicySet>
may also be inherited by another role if the other role
includes a reference to the Permission <PolicySet> associated
with the multi-role policy in its own Permission <PolicySet>."
If anyone objects to this change, please say so.
2) The line numbers in the examples use a different line number
sequence from the line numbers in the rest of the text. This
seems to be a "feature" of StarOffice, so I hope you can live
with it. The line numbers in the examples end in a ".",
whereas the line numbers in the text do not, so it is possible
to specify the series of numbers to which you are referring.
3) The document's title page says its location is
"http://docs/oasis-open.org/xacml/cs-xacml-rbac-profile-01.pdf";.
The document is not located there now (since this edit has not
been approved yet), but will be uploaded into the location by
the OASIS webmaster once I give her the version to use. This
makes use of a little-known OASIS manual mechanism for
reserving a URL for use by a committee specification or
standard rather than using the Kavi repository, which assigns
the URL only as it is being uploaded.
I will wait a decision from the chairs as to when this version
should be uploaded as the accepted Committee Specification.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
XACML Profile for Role Based Access Control (RBAC)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]