RE: [xacml] XACML Profile for Role Based Access Control (RBAC)

["Hal Lockhart" <hlockhar@bea.com>]

Sorry Anne, there is no longer such a thing as a Committee Specification at OASIS. What we approved is a Committee Draft.

I imagine we can wait until you return from vacation to get this fixed, but I ask others not to circulate this version until we get the header fixed.

Hal

> -----Original Message-----
> From: Anne Anderson [mailto:Anne.Anderson@Sun.COM]
> Sent: Friday, February 13, 2004 9:43 AM
> To: XACML TC
> Cc: Anne.Anderson@Sun.COM
> Subject: [xacml] XACML Profile for Role Based Access Control (RBAC)
> 
> 
> Colleagues,
> 
> I have re-formatted the RBAC profile as a Committee
> Specification, and this new version is attached as a PDF file.  I
> have cleaned up lots of formatting, spelling, grammar,
> etc. errors that were in the working draft.
> 
> Three notes, the first of which concerns a change that perhaps
> exceeds the bounds of editorial discretion:
> 
> 1) Section 1.5 Multi-Role Permissions
> 
>    Previously, this non-normative section said:
> 
>      "The permissions associated with a given Multi-Role
>      <PolicySet>, however, may be inherited only by other
>      multi-role policies that require a superset of the roles
>      required by the given multi-role policy.  This is because
>      the <Target> of the Role <PermissionSet> associated with the
>      multi-role policy will screen out any Subject that does not
>      possess at least the set of roles required by the given
>      multi-role policy."
> 
>    During my close edit reading, I realized that this statement
>    is incorrect and also conflicts with the rest of the document;
>    it assumed that the other role would include the multi-role
>    Role <PolicySet>, which include the role-restricting Target,
>    rather than the multi-role Permission <PolicySet>, which
>    contains an "any" Target.  Elsewhere, the text is very clear
>    that to include the permissions of another role, you include
>    that role's Permission <PolicySet>, not that role's Role
>    <PolicySet>.
> 
>    I have reworded this to say:
> 
>      "The permissions associated with a given multi-role <PolicySet>
>      may also be inherited by another role if the other role
>      includes a reference to the Permission <PolicySet> associated
>      with the multi-role policy in its own Permission <PolicySet>."
> 
>    If anyone objects to this change, please say so.
> 
> 2) The line numbers in the examples use a different line number
>    sequence from the line numbers in the rest of the text.  This
>    seems to be a "feature" of StarOffice, so I hope you can live
>    with it.  The line numbers in the examples end in a ".",
>    whereas the line numbers in the text do not, so it is possible
>    to specify the series of numbers to which you are referring.
> 
> 3) The document's title page says its location is
>    "http://docs/oasis-open.org/xacml/cs-xacml-rbac-profile-01.pdf";.
>    The document is not located there now (since this edit has not
>    been approved yet), but will be uploaded into the location by
>    the OASIS webmaster once I give her the version to use.  This
>    makes use of a little-known OASIS manual mechanism for
>    reserving a URL for use by a committee specification or
>    standard rather than using the Kavi repository, which assigns
>    the URL only as it is being uploaded.
> 
> I will wait a decision from the chairs as to when this version
> should be uploaded as the accepted Committee Specification.
> 
> Anne
> -- 
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
> 
>