[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Requirement for Isolated Request for Authorization Atributes
Evan, I can roughly see where you're going. But from a guy trying desparately to clearly define terms and relationships, I'm still really confused. The detailed questions: I don't see the term "policy assertions" in the glossary. Is this security policies? I don't see the term "authorization assertion" used in your explanation, as in the glossary definition 'the user "noodles" is granted "execute" privileges on the resource "/usr/bin/guitar."' Is this what you meant by "authorization decision"? How do these relate to the term "authorization policy decision"? Is this an authorization decision? Does the authentication assertion have 2 states: without authorization attributes and with authorization attributes? Or are these different constructs? Dave > -----Original Message----- > From: Evan Prodromou [mailto:evan@outlook.net] > Sent: Monday, March 12, 2001 7:00 PM > To: Orchard, David > Cc: Hal Lockhart; 'security-use@lists.oasis-open.org'; > 'security-core@lists.oasis-open.org' > Subject: Re: Requirement for Isolated Request for Authorization > Atributes > > > >>>>> "OD" == Orchard, David <dorchard@jamcracker.com> writes: > > OD> Pardon my gross ignorance, but is requesting authorization > OD> attributes roughly equivalent to requesting policies? So > OD> would it be that SAML defines a carrier for whatever XACL > OD> defines for ACLs? > > David, > > The way we've defined "authorization attributes" is that they are > attributes of the subject which are used to make authorization > decisions -- such as group membership, role, organization, identity, > etc. This could easily be stretched to include practially any profile > information, e.g., to get to the Left Handers' Club Web site, I need > to have an attribute saying that I'm left-handed. > > (I think the reason these are called authz attributes rather than > authz assertions is that they may not be a separate assertion at > all. Rather, they may be bound into an authn assertion -- part of an > authenticating party's output would be putting together these authz > attributes, and binding them to the authenticated party.) > > What you're talking about, we've called "policy assertions" -- e.g., > asserting the rule that, if the subject has the left-handedness > authorization attribute, they may enter the Left Handers' Club Web > site. > > One last type of authz assertion is "authorization decisions" -- the > statement that, "I, Policy Decision Point, checked the rules and > hereby grant 'Evan Prodromou' entry to the 'Left Handers' Club Web > site'." It doesn't state the criteria for making the decision, it just > says that the decision was made. So when the PEP for the LHC Web site > questions me, I can wave the authz decision in its face and go on my > way. > > Does that all make sense? > > ~ESP > > > > > ------------------------------------------------------------------ > To unsubscribe from this elist send a message with the single word > "unsubscribe" in the body to: > security-use-request@lists.oasis-open.org >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC