OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Some queries regarding RBAC and XACML Profile for delegation.

Dear Erik,

> Oh, I see now what you want. You want to add administrative rights for
> roles. There is no way right now in the profile to define a target that
> will match both access and administrative requests, so you cannot mix
> access rights and administarive rights in the same role using only a
> single policy set. For now, I suggest you create a second RPS for
> administrative rights, which can then refer to another PPS with the
> administrative rights.
> For this second RPS, you can use a empty Delegate element in the target,
> which will match any administrative request and then you can fill in the
> details in the PPS.

I think you didnot gett me, and thats why it was difficult for me to get 
you. How i am percieving :

  - An Access request comes, and it will first matched by an Access policy 
by the Policy Decision point (PDP)
  - Matching is done using RBAC, as you described in your email i.e. we have 
a RPS and then that RPS will refer to a PPS.
  - If there is no match , or if the result is even deny then , PDP dont 
simply gives answer back to the PEP but
  - it will check for a Delegation Policy , and then the whole process 
begins which is illustrated in the profile.
  - Now, i am not clear about your point, could you plz give me some example 
that how e.g. i can make use of Role Heirarchies, in your profile, keeping 
seperation between access policies and
    Administrative policies. I am not sure about using an Empty Delegate 
Element ??


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]