OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Some queries regarding RBAC and XACML Profile for delegation.

> If you do not have an access result that says "permit", then you do not
> need to generate an administrative request. Perhaps you mean that, even
> if you get a not applicable for the access request against one policy,
> you still need to try all other policies. Yes, that is true, but all the
> administrative policies will evaluate to not applicable to an access
> request.

I am keeping seperate the Normal Access Policies and Delegation Policies 
(Whether Administrative or User Issued). So if an Access Request comes.

 -- First it will be matched against a Normal Access policy or policies.
 -- Suppose if there is "permit", ofcourse i dont need to check the 
Delegation policies then (Agreed).
-- but if result is Deny (this is important) or notApplicable, then i will 
have to look at the Delegation policies. here i think i am not getting you 
when you only mention notApplicable and leave Deny. The thing is that it is 
possible that a role is completely denied accessing an operation from Normal 
Access policies, but delegation policies allows it. Thats why, i think so in 
case of both NotApplicable and Deny, PDP will query the Delegation policies.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]