OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-comment] Public Comment


On 20 May, comment-form@oasis-open.org writes: [xacml-comment] Public Comment
 > Comment is about RBAC profile specification changes:
 > 
 > >RECOMMENDs use of the following URI as the "role" Attribute >AttributeId: "urn:oasis:names:xacml:2.0:subject:role"
 > 
 > 
 > 
 > Problem here is that "role" entity is specific to an application. Subject attributes may be composed from multiple applications.
 > 
 > For example, user may be in role "administrator" for application 1 and "user" for application 2 and application 3.
 > 
 > In this case the subject must have something like:
 > 
 > 
 > 
 > app1:subject:role = "administrator"
 > 
 > app2:subject:role = "user"
 > 
 > app3:subject:role = "user"
 > 
 > 
 > 
 > So it seems to me that initial specication version where role attribute name was up to application is better. There is no sense to recommend any specific value, because it will cause ambiguities for say applications 2 and 3.

For your example, the distinction would be made in the values of
the "urn:oasis:names:xacml:2.0:subject:role" Attribute.
I.e. user would have following Attribute assignments:

  AttributeId="urn:oasis:names:xacml:2.0:subject:role"
  AttributeValue="urn:app1:subject:role-values:administrator"

  AttributeId="urn:oasis:names:xacml:2.0:subject:role"
  AttributeValue="urn:app2:subject:role-values:user"

  AttributeId="urn:oasis:names:xacml:2.0:subject:role"
  AttributeValue="urn:app3:subject:role-values:user"

The profile does not disallow use of different AttributeId
values, it merely recommends use of the common one.  If you
really want to have different AttributeIds, you may do so while
still being compliant with the RBAC Profile.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]