OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: My wordings

Dear Erik,

I have summerized the Delegation Profile in my own words, If you can kindly check it in order to remove any confusion.

This profile defines two types of policies: Administration Defined Policies (ADP) and User Defined Policies (UDP). ADP are the top level policies which does not need any further authorization where as UDP need to be further authorized through ADP. A <PolicyIssuer> element qualifies a policy as UDP i.e. it is issued by a subject (a User, Role etc) where as a missing <PolicyIssuer> element qualifies a policy as ADP. The <target> element of these policies can contain an additional element <Delegate> in addition to <Subject><Resource><Action>. This element defines a subject (a role, user etc) which is allowed to issue an access policy covering the situation specified by <Subject><Resource><Action>. E.g. if <Subject><Resource><Action> defines a situation that "A member is allowed to add a resource" then <Delegate> element can define a subject (e.g. B) can issue an access policy covering the above situation i.e. Subject B can delegate that a member can add a resource. For an ADP, the presence of <Delegate> element is necessary. Delegation can be further constrained by <Condition> element. 

                According to this profile, when an access request comes it only matches those policies which does not contain that <Delegate> element i.e. it only matches those polices which are issued by a user. The matched UDP needs further authorization. This will trigger an Administration request which include the situation and Issuer, e.g. if a subject B asserts that a member can add a source and there is an access request from member in order to add are resource the, an administration request will be created to qualify that whether subject B have rights to assert that a member can add a resource". If an ADP specifies that subject B can assert the above situation by means of <Delegate> element then the Administration request will match the corresponding ADP and access will be granted to the member to add resource. Please refer to Section 4, where we provide the integration of this delegation profile with normal access control policies of XACML.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]