OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dipal-discuss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dipal-discuss] Re: Request for example Assertions

XACML 2.0 can easily express all of this.




From: Paul OConnor [mailto:poconnor@e-brilliance.com]
Sent: Wednesday, January 18, 2006 11:38 PM
To: dipal-discuss@lists.oasis-open.org
Subject: [dipal-discuss] Re: Request for example Assertions


I wonder how access control assertions and policy can be expressed and so I would propose the following very common use case in financial services applications:


An equities trading service enforces access control policy which leverages subject attributes from the firms identity store:


User role (trader, manager, etc.)

Trade limit (max trade without additional approval)

Trading hours (can trade after hours?)

Trade location (can trade from home or office only)


Along with context variables:


Amount of trade

Type of trade

Equity being traded

Additional approval flag


These attributes must be asserted by the client making the request, e.g., a trade portal. The policy enforcement infrastructure would then calculate a policy decision before the service was ever invoked.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]