OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Decision="Deny" with <Action>Read</Action> VERSUS Decision="Permit" with <Action>~Read</Action>


Definitely prefer Approach 1

It is clear you do not have read authorization.


For Approach 2, I have to ask what is authorization of “what could be interpreted as “non-read” operation mean.” What I am saying is that form would confuse most of the implementers around me.


Michael A. Barnhart

Technical Data Integrity - System Architect




From: Costello, Roger L. [mailto:costello@mitre.org]
Sent: Thursday, March 30, 2006 9:11 AM
To: saml-dev@lists.oasis-open.org; Costello, Roger L.
Subject: [saml-dev] Decision="Deny" with <Action>Read</Action> VERSUS Decision="Permit" with <Action>~Read</Action>


Hi Folks,


As I understand it, the AuthzDecisionStatement is used to indicate a decision (by an Identity Provider, IdP) regarding whether a subject should be allowed to access a resource.


Suppose that the resource is “employee salaries”.  Here’s the resource URL:




Suppose the decision is to deny read-access.  There seems to be two approaches to express this:



Approach 1


<AuthzDecisionStatement Resource=”http://www.CarRentalInc.com/employees/salaries


      <Action Namespace=”urn:oasis:names:tc:SAML:1.0:action:rwedc-negation”>Read</Action>




Approach 2


<AuthzDecisionStatement Resource=”http://www.CarRentalInc.com/employees/salaries


      <Action Namespace=”urn:oasis:names:tc:SAML:1.0:action:rwedc-negation”>~Read</Action>




In Approach 1 the decision is to Deny Read access to the employees salaries.


In Approach 2 the decision is to Permit not Reading to the employees salaries.




  1. Are both approaches stating the same thing?
  2. Which approach is preferred?


Thanks!  /Roger


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]