xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Use Cases for Delegation
- From: Ron Williams <ron.williams@us.ibm.com>
- To: xacml <xacml@lists.oasis-open.org>
- Date: Thu, 7 Jul 2005 10:37:53 -0600
Perhaps to get the ball rolling -
Most reporting for audit function is
ultimately interested in subject<->target mapping, minus intervening
role/group/hierarchical relationships. For example, when groups are permitted
access to particular targets, the audit question may (have to) use the
"group" memberships to determine the answer to "What subjects
have access to target X," but the group itself is generally factored
out of the response.
Typical use cases for role/permission
review include the following:
1) Given a subject, to what targets
is it authorized?
2) Given a target, what subjects are
to it authorized?
The administrative review questions
are:
3) When, and by whom was subject X authorized
to target Y. (Audit of administrative artifacts, i.e. subject attributes).
4) When, and by whom was aggregate(role,
group, hierarchical placement) Z authorized to target Y.
In delegation scenarios, answers to
the 1&2 above would include identifying all authorized subject delegates,
and may as well require identification of the delegator as well as the
delegate (cases 3&4).
Ron Williams
Sr. Enterprise Architect
IBM Tivoli Security & Privacy
+1.512.838.0073
+1.512.633.7711
ron.williams@us.ibm.com
|  |
S/MIME Cryptographic Signature
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]