OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] Some queries regarding RBAC and XACML Profile for delegation.

> No, it's the other way around:
> -- First you match the access request against the access policies.
> -- If there is a permit (which is associated with an issuer), then you
> MUST generate a _new_ administrative request, and check that against the
> administrative policies.
> -- If the result is deny or not applicable for the first access request,
> then you do not need to generate a second request. (We are still working
> on the details of deny though, so draft 07 is not fully consistent on
> this issue.)

oh , now i got you, you mean, Access policies are issued by the Users means 
the Access policies contains Issuer element.

but i am thinking on the other way arround.

Suppose i have normal XACML policies with no Issuer element and delegate 
element i.e. they are normal access policies and dont need any further 
if , an access request got "notApplicable", or "Deny", i will then check for 
the delegation policies (User Issued one) and so as to generate an 
Administrative request and ...

Agreed  ?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]