[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AW: [xacml] support of <PolicySet> elements under PPS elements?
Hi Erik, the NIST model doesn’t
specify how to define the privileges associated with roles. Hence independent of
the requirements that might drive someone to build a Policytree based on nested
PS, I don’t see a reason why PS elements under PPS should be forbidden. Nevertheless a scenario
for PS under PPS elements could be: When using XACML to
define the privileges it might be very convenient to provide a certain
PolicySet structure below the PPS. One could e.g. define <PolicySet>
elements under a PPS that test for specific resource types (e.g. services). Below
these service specific <PolicySet> elements you could than structure your
policy by the action type (e.g. different <PolicySet> elements for each specific
service type). Having such a predefined structure and allowing the
junior-policy administrators only to define <policy> and <rule>
elements below these predefined <PolicySet> elements will ensure that
they do not define rights out of their scope. Best Regards Jan -- Jan Herrmann Dipl.-Inform.,
Dipl.-Geogr. Scientific
Assistant Chair for Applied
Informatics / Cooperative Systems Technische Universität
München Boltzmannstr. 3 85748 Garching Germany T: +49 89 289 18692 F: +49 89 289 18657 W: www11.in.tum.de Von: Erik Rissanen [mailto:erik@axiomatics.com] Hi Jan, Hi there, the XACML v3.0 RBAC profile states: “...Permission
<PolicySet>
or PPS: a <PolicySet> that contains the actual
permissions 141
associated with a given role. It contains <Policy> elements and <Rules> that
describe the 142
resources and actions that subjects are permitted to access, along with any
further conditions on 143 that
access, such as time of day. ...” From my point of view this PPS
definition is unnecessary limiting the structure below PPS. I would propose to
support <PolicySet> elements under PPS elements, unless there are good
reasons why this should be prohibited. Best regards Jan -- Jan Herrmann Dipl.-Inform.,
Dipl.-Geogr. Scientific
Assistant Chair for
Applied Informatics / Cooperative Systems Technische Universität München Boltzmannstr. 3 85748 Garching Germany T: +49 89 289 18692 F: +49 89 289 18657 W: www11.in.tum.de |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]