[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Requirement for Isolated Request for Authorization Atributes
>>>>> "OD" == Orchard, David <dorchard@jamcracker.com> writes: OD> Pardon my gross ignorance, but is requesting authorization OD> attributes roughly equivalent to requesting policies? So OD> would it be that SAML defines a carrier for whatever XACL OD> defines for ACLs? David, The way we've defined "authorization attributes" is that they are attributes of the subject which are used to make authorization decisions -- such as group membership, role, organization, identity, etc. This could easily be stretched to include practially any profile information, e.g., to get to the Left Handers' Club Web site, I need to have an attribute saying that I'm left-handed. (I think the reason these are called authz attributes rather than authz assertions is that they may not be a separate assertion at all. Rather, they may be bound into an authn assertion -- part of an authenticating party's output would be putting together these authz attributes, and binding them to the authenticated party.) What you're talking about, we've called "policy assertions" -- e.g., asserting the rule that, if the subject has the left-handedness authorization attribute, they may enter the Left Handers' Club Web site. One last type of authz assertion is "authorization decisions" -- the statement that, "I, Policy Decision Point, checked the rules and hereby grant 'Evan Prodromou' entry to the 'Left Handers' Club Web site'." It doesn't state the criteria for making the decision, it just says that the decision was made. So when the PEP for the LHC Web site questions me, I can wave the authz decision in its face and go on my way. Does that all make sense? ~ESP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC