[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Some queries regarding RBAC and XACML Profile for delegation.
Hi Erik , I hope i am not borring you? I have some queries regarding the latest Profile for Delegation of XACML V7 The first question is, whether an Issuer can Constrain the delegation, or Delegation can only be constrained by Adminisration Policies. As stated in Profile that "In case <PolicyIssuer> element is present, then combinining Algorithms that can result in "Deny" SHALL NOT be used". ?? The 2nd question is that in the Administration Policy, uptil which level we can constrain delegation e.g. in the Administration Policy it can be specified that Carol can Delegate to Bob, by means of DelegateAttributeDesignator and LaterDelegateAttributeDesignator. But is this possible to further constrain that to whom Bob can delegate further??. If we specify a new administration policy take Bob as Delegatee, then what will be the value of the first policy in this regard. I mean, if Bob can delegate to Mallory (by an Administraton Policy), then there is no need to ask, that whether Bob is Authorized himself or not?? and on the other hand, if we can constrain multiple level of delegation, then it makes a long chain isnt so? Another issue is the integration of RBAC Profile for XACML with this delegation Profile. e.g. i have Role A, and Role B and Role B is super Role of Role A so how his inheritence relationship works in XACML profile -- There will a Role Policy Set (RPS) for every Role e.g. A & B -- There will be Permission Policy Set (PPS) for every Role too. -- Now, RPS will only contains Role Definition and will reference PPS e.g. As Role B is the super Role of Role A, there fore, RPS of B will refer to its PPS and then PPS of B will refer to PPS of Role A , to make this inheritence relationship in the XACML. Now considering the same for Delegation Profile i think so we can have RPS like this <PolicySet> <Policy PolicyId="RPS_Role_B" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Target> <AnySubject/> <AnyResource/> <AnyActioin/> <Delegates> <Delegate> <DelegateMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">RoleB</AttributeValue> <DelegateAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </DelegateMatch> </Delegate> </Delegates> </Target> <PolicySetIDreference> PPS_OF_RoleB </PolicySetIDReference> </PolicySet> and then PPS of Role B will contain the Definition of actual permission with a reference to PPS of role A since it is the super Role. make sence ?? <PolicySet> <Policy PolicyId="Policy PPS_OF_RoleB" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValueDataType=http://www.w3.org/2001/XMLSchema#string >employee</AttributeValue> <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">printer</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">print</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Rule RuleId="Rule1" Effect="Permit"> <Target> <Subjects><AnySubject/></Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> </Rule> <PolicySetIdReference> PPS_OF_ROle_A </PolicySetIdReference> </PolicySet> The thing is that RPS will only contains the Delegate element and will reference the PPS where as PPS will contains permission and additionally a referece to another PPS for inheritence relationship. I hope i was able to convey my idea. with Best regards Muhammad.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]