Subject: Re: [xacml-dev] Some queries regarding RBAC and XACML Profile for delegation.
Dear Erik, > Oh, I see now what you want. You want to add administrative rights for > roles. There is no way right now in the profile to define a target that > will match both access and administrative requests, so you cannot mix > access rights and administarive rights in the same role using only a > single policy set. For now, I suggest you create a second RPS for > administrative rights, which can then refer to another PPS with the > administrative rights. > > For this second RPS, you can use a empty Delegate element in the target, > which will match any administrative request and then you can fill in the > details in the PPS. > I think you didnot gett me, and thats why it was difficult for me to get you. How i am percieving : - An Access request comes, and it will first matched by an Access policy by the Policy Decision point (PDP) - Matching is done using RBAC, as you described in your email i.e. we have a RPS and then that RPS will refer to a PPS. - If there is no match , or if the result is even deny then , PDP dont simply gives answer back to the PEP but - it will check for a Delegation Policy , and then the whole process begins which is illustrated in the profile. - Now, i am not clear about your point, could you plz give me some example that how e.g. i can make use of Role Heirarchies, in your profile, keeping seperation between access policies and Administrative policies. I am not sure about using an Empty Delegate Element ?? regards, Muhammad.