OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sunxacml-discuss] ]xacml-dev]RBAC Profile for XACML: movingthread to "xacml-users"

To avoid cross-posting, I will be responding to this and all the other 
e-mails on this thread on the "xacml-users@lists.oasis-open.org" mailing 
list.

Please direct any subsequent discussion to that one list.

Anne Anderson

Muhammad Masoom Alam wrote:
> Hi Seth and all,
> 
> i am stuck again into XACML profile for RBAC.
> 
>  According to RBAC, we have RPS (Role Policy Set) and PPPS (Permission 
> Policy Set) Where, RPS contains the role definition (RoleName) and 
> references to PPPS and PPPS contains the actual permission with a rule 
> (if any).
> Now considor i have a Role A , which have two permissions associated 
> with it, one is Positive Permission Policy Set(PPPS) and one is 
> NegativePermission Policy Set (NPPS).
> 
> The structure of the Role Policy set is (as you described in one of your 
> email is ),this is some simplified XACML.
> 
> 
>  <PolicySet PolicySetId="RPS:RoleA" Combining Algorithm = "deny-overrides">
> 
>            <PolicySet Combining Algorithm = "permit-overrides">
> 
>                    <PolicySetIdReference>PPPS:RoleA</PolicySetIdReference>
> 
>                    <PolicySetIdReference>DenyPolicy</PolicySetIdReference>
> 
>            </PolicySet>
> 
> 
>            <Target>
> 
>                Role Definition
> 
>            </Target>
> 
>                    <PolicySetIdReference>NPPS:RoleA</PolicySetIdReference>
> 
> 
> </PolicySet>
> 
> 
> now considor RoleA inherits from RoleB some  permissions , there fore, 
> the PPPS:RoleA will contains a reference to the PPPS of RoleB (i.e. 
> PPPS:RoleB).
> if generally, there is no rule applicable to RoleA in the PPPS of RoleB, 
> a general "DenyPolicy" (from the Role Policy Set) will be applicable 
> which is not a right behaviour, since RoleA inherits from RoleB, and if 
> there is no rule applicable in the inherited Role permission policy set 
> (PPPS:RoleB), it shall give permit (if NPPS:RoleA is not applicable or 
> gives true).
> 
> 
> am i right ??
> if yes, what can be the other solutions.
> 
> 
> regards
> Muhammad.
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]