Re: [xacml-dev] Some queries regarding RBAC and XACML Profile fordelegation.

[Erik Rissanen <mirty@sics.se>]

Muhammad Masoom Alam wrote:

>
> I think you didnot gett me, and thats why it was difficult for me to
> get you. How i am percieving :
>
>  - An Access request comes, and it will first matched by an Access
> policy by the Policy Decision point (PDP)
>  - Matching is done using RBAC, as you described in your email i.e. we
> have a RPS and then that RPS will refer to a PPS.
>  - If there is no match , or if the result is even deny then , PDP
> dont simply gives answer back to the PEP but
>  - it will check for a Delegation Policy , and then the whole process
> begins which is illustrated in the profile.
>  - Now, i am not clear about your point, could you plz give me some
> example that how e.g. i can make use of Role Heirarchies, in your
> profile, keeping seperation between access policies and
>    Administrative policies. I am not sure about using an Empty
> Delegate Element ??


If there is no match, then there is no result to authorize. Why would
check for a delegation policy in that case?

If there is a deny, yes, I can see that you might want to check for a
delegation policy, but the current draft does not cover that case yet.
It is till work in progress, so I don't have an answer right now.

Adding administrative rights to roles is done the same way as adding any
other right. Just set the role attribute as the subject of the target
and the delegate a part of the target as well. In the case of the RBAC
profile, just set the Delegate of the RPS to empty and then set the
Delegate element in the PPS to whatever right you want to give.

The only problem is that currently a single RPS cannot match both access
policies and administrative policies, so you need to keep them separete.
The access RPS has no delegate element, and the delegation RPS has an
empty delegate element.

/Erik