Re: [xacml-comment] Public Comment

[Anne Anderson <Anne.Anderson@Sun.COM>]

It is out of scope for XACML core.  It might be acceptable as a Profile,
however.  I suggest you put together a proposal, send to the XACML TC,
and volunteer to join the TC to work on it if the TC is interested in
pursuing your proposal.

Unless you are willing to develop the profile and do most of the work
yourselves, with review and comment from the rest of the TC, I do not
think the TC will be interested.

Anne

nurmamat wrote:

> Hello Mr Anderson:
> you wrote:
> 
>>I'm not sure I understand.  Are you suggesting have Subject, Resource,
>>Action, Environment, and Role as the "classes" of Attributes?  I don't
>>think that is a solution, and it is not supported by XACML 1.0, 1.1, or 2.0.
> 
> Yes,we thought it is not possible to
> have Subject, Resource, Action, Environment, and Role as the "classes" of Attributes.
> we just want to confirm our thought is right.
> 
> Well, To introduce Session for specifying RBAC components in XACML is out of the scope of XACML?
> 
>     	
> ======= 2005-04-13 22:29:45 You Wrote£º=======
> 
> 
>>nurmamat wrote:
>>
>>>Hello Mr Anderson:
>>>
>>>   Mr Chen zhao and I are in the same lab; we are
>>>very thankful to your precious advice, I would like to confirm what you 
>>>said in your last E_mail and ask some more question,
>>>
>>>you said 
>>>
>>>
>>>>The Role Assignment Authority that made those 
>>>>assignments in the first place could have used XACML to ensure that no 
>>>>incompatible roles were assigned to the same user."
>>>
>>>How can The Role Assignment Authority use XACML to do this? Do you mean there is 
>>>a Policy Information Point using XACML to provide information about Role
>>>attributes of a User? Can they use XACML or it is out of the scope of XACML? 
>>
>>Yes, there is a Policy Information Point that generates policies
>>regarding which users are allowed to hold which roles.  When the Role
>>Assignment Authority receives a request to assign a role to a given
>>user, its PEP sends a request to a PDP (possibly the same PDP that
>>resource access requests are sent to) of the form 'Is Subject A,
>>Resource role="X", Action "AssignRole"' permitted?
>>
>>This is within the scope of XACML because it is a request for permission
>>to "access" a particular role "resource".
>>
>>Note that in these requests, the "role" Attribute is an Attribute of the
>>resource rather than an Attribute of the Subject.
>>
>>
>>>You wrote
>>>
>>>
>>>>The Role Assignment Authority would 
>>>>return the role if the user already has it for that session, and would 
>>>>activate the role and return it is the user does not already have it and 
>>>>it does not conflict with roles the user already has activated for the 
>>>>current session.
>>>
>>>I think the word "is the user..." should be "if the user...".
>>
>>That is correct; I mis-typed.
>>
>>
>>>my last question and most important one is that if we can introduce Role 
>>>as the parallel entity with Subject(User), Resource and Action not just a subject
>>>attributes. if so most components of RBAC model can be solved using XACML.
>>
>>I'm not sure I understand.  Are you suggesting have Subject, Resource,
>>Action, Environment, and Role as the "classes" of Attributes?  I don't
>>think that is a solution, and it is not supported by XACML 1.0, 1.1, or 2.0.
>>
>>But XACML can allow a given Attribute, such as "role", to be treated as
>>a Resource Attribute in some queries and policies and as a Subject
>>Attribute in others.  And an Attribute Authority can have its own set of
>>XACML policies that are different from the policies used directly by the
>>user's application.
>>
>>Please send another e-mail if anything is not clear.  I am happy to try
>>answering questions.
>>
>>Anne
>>
> 
>  
>                                  Nurmamat
>                                       
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA