OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XACML Administration policy: A confusion

Hi ,

 I have a question regarding the XACML profile V3 for Aministration policy.
  The profile describe the processing model using the following example:

  1.. Alice in Employee Group and subjectCategory = accessSubject requests for printer ( in order to print).
  2.. Policy 1 is not applicable since the subject in the request is a categorized subject 
  3.. Policy 2 is also not applicable due to the same reason.
  4.. Policy 3 issued by "Mallory" says permit but we cannot find Mallory as delegate, there fore not authorized
  5.. Policy 4 issued by "Bob" says permit and further we have to check for its authorization as follows
  a.. Policy 2 says "Carol" can delegate. At this point i have confusion. Since Policy 2 was not applicable previsouly (see step 3 ) due to subjectCategory problem, but now it is applicable. why ??. The table given for target evaluation does clear the idea i.e. if delegate in the request and delegates in the policy is matched, then dont care about Subject, Resource, Action. is this so??
I hope i was able to convey my idea.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]