[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] BTG sequence diagram
Hi Bill, Yes, I am assuming GlassMgr maintains the privilege state for users. i.e. the Policy will say whether the User has the privilege, and therefore can be authorized to enable the privilege. So, GlassMgr on the "front end" is a service that enables people to activate privileges that they would only use under special conditions. When a User wants to activate a privilege, the User goes to the GlassMgr appl and "activates it". This is the "breaking the glass". The implementation could happen in a variety of ways. One way is that at authentication, the User is given a bunch of "roles" or "attributes", one of which is a "break the glass entitlement". So, when user goes to access GlassMgr, the User has an "attribute" that the PEP can send to the PDP indicating the user is entitled to activate this privilege. Then on 3rd scenario, when PDP asks CH for btgState, the PIP will get it from GlassMgr and find that it is now "true". So, yes, one can regard the btgState as a "Resource" that is managed by GlassMgr, that Users can access if they have "btg entitlement", which, for example, they could get from an STS. But all these details are just concrete examples of how the abstract btgState attribute could be managed. Thanks, Rich On 4/22/2011 7:32 PM, Bill Parducci wrote: > So Rich, in this scenario you are treating the BTG priv attribute as a Resource? If not, what does "permit" refer to? > > thanks > > b > > On Apr 22, 2011, at 4:25 PM, rich levinson wrote: > >> • The PEP in front of GlassMgr asks the PDP if this User is authorized to activate >> his BTG priv. >> • The PDP says yes, the User, according to Policy is authorized to perform this >> action (activate the User's BTG priv), and returns Permit.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]