OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-dev] Some queries regarding RBAC and XACML Profile fordelegation.


Muhammad Masoom Alam wrote:

>> If you do not have an access result that says "permit", then you do not
>> need to generate an administrative request. Perhaps you mean that, even
>> if you get a not applicable for the access request against one policy,
>> you still need to try all other policies. Yes, that is true, but all the
>> administrative policies will evaluate to not applicable to an access
>> request.
>
>
> I am keeping seperate the Normal Access Policies and Delegation
> Policies (Whether Administrative or User Issued). So if an Access
> Request comes.
>
> -- First it will be matched against a Normal Access policy or policies.
> -- Suppose if there is "permit", ofcourse i dont need to check the
> Delegation policies then (Agreed).
> -- but if result is Deny (this is important) or notApplicable, then i
> will have to look at the Delegation policies. here i think i am not
> getting you when you only mention notApplicable and leave Deny. The
> thing is that it is possible that a role is completely denied
> accessing an operation from Normal Access policies, but delegation
> policies allows it. Thats why, i think so in case of both
> NotApplicable and Deny, PDP will query the Delegation policies.


No, it's the other way around:

-- First you match the access request against the access policies.
-- If there is a permit (which is associated with an issuer), then you
MUST generate a _new_ administrative request, and check that against the
administrative policies.
-- If the result is deny or not applicable for the first access request,
then you do not need to generate a second request. (We are still working
on the details of deny though, so draft 07 is not fully consistent on
this issue.)

An access request cannot match and administrative policy.

/Erik




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]