[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: One suggestion regarding Negative Delegation
Dear Erik, In the following i am giving my suggestion for negative rights delegation what is your opinion ? Abbrevations Used: DRPS = Delegation Role Policy Set, DPPPS = Delegation Positive Permission Policy Set, DNPPS = Delegation Negative Permission Policy Set. <PolicySet PolicySetId="DRPS:Role_A" Combining Algorithm = "deny-overrides"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> <Delegate> <DelegateMatch MatchId="string-equal"> <AttributeValue DataType="string"> Role_A</AttributeValue> <DelegateAttributeDesignator AttributeId="role" DataType="string"/> </DelegateMatch> </Delegate> </Target> <PolicySetIdReference>DNPPS:Role_A</PolicySetIdReference> <PolicySet PolicySetId="DPPPS:for:Role_A" Combining Algorithm = "permit-overrides"> <PolicySetIdReference>DPPPS:Role_A</PolicySetIdReference> <PolicySetIdReference>DenyPolicy</PolicySetIdReference> </PolicySet> </PolicySet> The over all mechanism of the above policy is as follows: 1. DRPS contains references to two policies DPPPS:Role_A and DNPPS:Role_A which represents the negative and positive delegation permission policy set respectively. 2. A gerneral DenyPolicy is given, such that if non of the policy is applicable from the DPPPS:Role_A, then a gerernal DenyPolicy will be applicable. 3. The combining Algorithm (top most "Deny-overrides") are structured in such a way that DNPPS:Role_A will always have precedence. 4. The Permisson Policy Set either positve or negative will contain the respective definitions of the permissions. I hope i was able to convey my Idea, regards, Muhammad.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]