[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] who should use XACML?
You need to provide more details on your authorization scenarios. I think, in general, if your authorization rules depend on many attributes and rules that are constructed using these attributes then XACML is a good match. I can give you an example on what kind of rules I've implemented for my employer. Bill Pay Authorization: ------------------- 1. If number of transactions is bigger than T within period of time P, disable BillPay 2. If amount of transaction is bigger than X or smaller than Y disable BIllPay 3. If type of payment is not in the list disable BillPay 4. If a user is signed up for the Bill Pay service use different set of rules (T, P, X, Y will be different) ... and so on. I had approximately 10 business rules like that for BillPay. If you can easily derive all your authorization decisions from a user ID only then I would not recommend using XACML - use a traditional RBAC model instead, because XACML will definitely add complexity and increase the cost of your authz solution. --- On Mon, 9/22/08, kurt steele <arcticranger3@yahoo.com> wrote: > From: kurt steele <arcticranger3@yahoo.com> > Subject: [xacml-comment] who should use XACML? > To: xacml-comment@lists.oasis-open.org > Date: Monday, September 22, 2008, 12:33 PM > I am doing some research for a media firm in NYC and I have > a simple question. > > They need a solution for: > > 1. authorization of users of our CMS > 2. general users of our public entertainment websites. > There are 300 or so of these and the rights policies can be > complex. The policies often specify restrictions based > on geographic location of the subject and the resource. > > Is XACML targeted at both of these scenarios? Or > is it only meant for inter-agency or inter-company rights > interaction? > > I find it hard to equate internal CMS access with public > website access, they seem like very different animals to > me. So any views on that would help also. > > Thanks. > > Arc
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]