RE: [xacml] XACML Profile for Role Based Access Control (RBAC)

[Anne Anderson <Anne.Anderson@Sun.COM>]

Attached is a version that uses "Committee Draft".  It specifies
the Location for the file as the same URL used previously, but
with the file name changed from cs-* to cd-*.  I will request
this URL from the OASIS webmaster.

Anne

On 13 February, Hal Lockhart writes: RE: [xacml] XACML Profile for Role Based Access Control (RBAC)
 > From: Hal Lockhart <hlockhar@bea.com>
 > To: Anne.Anderson@Sun.COM, XACML TC <xacml@lists.oasis-open.org>
 > Subject: RE: [xacml] XACML Profile for Role Based Access Control (RBAC)
 > Date: Fri, 13 Feb 2004 10:46:46 -0500
 > 
 > Sorry Anne, there is no longer such a thing as a Committee Specification at OASIS. What we approved is a Committee Draft.
 > 
 > I imagine we can wait until you return from vacation to get this fixed, but I ask others not to circulate this version until we get the header fixed.
 > 
 > Hal
 > 
 > > -----Original Message-----
 > > From: Anne Anderson [mailto:Anne.Anderson@Sun.COM]
 > > Sent: Friday, February 13, 2004 9:43 AM
 > > To: XACML TC
 > > Cc: Anne.Anderson@Sun.COM
 > > Subject: [xacml] XACML Profile for Role Based Access Control (RBAC)
 > > 
 > > 
 > > Colleagues,
 > > 
 > > I have re-formatted the RBAC profile as a Committee
 > > Specification, and this new version is attached as a PDF file.  I
 > > have cleaned up lots of formatting, spelling, grammar,
 > > etc. errors that were in the working draft.
 > > 
 > > Three notes, the first of which concerns a change that perhaps
 > > exceeds the bounds of editorial discretion:
 > > 
 > > 1) Section 1.5 Multi-Role Permissions
 > > 
 > >    Previously, this non-normative section said:
 > > 
 > >      "The permissions associated with a given Multi-Role
 > >      <PolicySet>, however, may be inherited only by other
 > >      multi-role policies that require a superset of the roles
 > >      required by the given multi-role policy.  This is because
 > >      the <Target> of the Role <PermissionSet> associated with the
 > >      multi-role policy will screen out any Subject that does not
 > >      possess at least the set of roles required by the given
 > >      multi-role policy."
 > > 
 > >    During my close edit reading, I realized that this statement
 > >    is incorrect and also conflicts with the rest of the document;
 > >    it assumed that the other role would include the multi-role
 > >    Role <PolicySet>, which include the role-restricting Target,
 > >    rather than the multi-role Permission <PolicySet>, which
 > >    contains an "any" Target.  Elsewhere, the text is very clear
 > >    that to include the permissions of another role, you include
 > >    that role's Permission <PolicySet>, not that role's Role
 > >    <PolicySet>.
 > > 
 > >    I have reworded this to say:
 > > 
 > >      "The permissions associated with a given multi-role <PolicySet>
 > >      may also be inherited by another role if the other role
 > >      includes a reference to the Permission <PolicySet> associated
 > >      with the multi-role policy in its own Permission <PolicySet>."
 > > 
 > >    If anyone objects to this change, please say so.
 > > 
 > > 2) The line numbers in the examples use a different line number
 > >    sequence from the line numbers in the rest of the text.  This
 > >    seems to be a "feature" of StarOffice, so I hope you can live
 > >    with it.  The line numbers in the examples end in a ".",
 > >    whereas the line numbers in the text do not, so it is possible
 > >    to specify the series of numbers to which you are referring.
 > > 
 > > 3) The document's title page says its location is
 > >    "http://docs/oasis-open.org/xacml/cs-xacml-rbac-profile-01.pdf";.
 > >    The document is not located there now (since this edit has not
 > >    been approved yet), but will be uploaded into the location by
 > >    the OASIS webmaster once I give her the version to use.  This
 > >    makes use of a little-known OASIS manual mechanism for
 > >    reserving a URL for use by a committee specification or
 > >    standard rather than using the Kavi repository, which assigns
 > >    the URL only as it is being uploaded.
 > > 
 > > I will wait a decision from the chairs as to when this version
 > > should be uploaded as the accepted Committee Specification.
 > > 
 > > Anne
 > > -- 
 > > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
 > > Sun Microsystems Laboratories
 > > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
 > > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
 > > 
 > > 
 > 
 > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

XACML Profile for Role Based Access Control (RBAC) - CD