[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Attribute predicate profile for SAML and XACML
Hi Ray, As discussed during the last call, I think the answer to your question is yes, if I correctly understand authorization-based access control (ZBAC) correctly as follows. A user from domain A wants to access a resource hosted in domain B. In classical attribute-based access control (ABAC), domain B fetches the user's attributes from domain A and checks whether the policy associated to the resource is satisfied. In ZBAC, it is domain A that checks whether the user's attributes satisfy the policy. Our attribute predicate profile could indeed be used by domain B to send the policy (predicate) to domain A, who evaluates the predicate and certifies to B whether it holds or not. There are two points in the approach that I don't quite understand though, which may mean that my above understanding is incorrect:
Greg On 4/29/2011 10:24, remon.sinnema@emc.com wrote: Gregory & Franz-Stefan, Could this profile also be used to implement ZBAC [1]? [1] http://www.hpl.hp.com/techreports/2009/HPL-2009-30.pdf Thanks, Ray-----Original Message----- From: Gregory Neven [mailto:nev@zurich.ibm.com] Sent: Wednesday, March 23, 2011 10:25 AM To: xacml@lists.oasis-open.org Subject: [xacml] Attribute predicate profile for SAML and XACML Dear all, Please find attached a first draft of the attribute predicate profile that we've been discussing during the telephone conferences. Looking forward to your feedback! Best regards, Gregory and Franz-Stefan--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]