[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: One suggestion regarding Negative Delegation
Dear Erik,
In the following i am giving my suggestion for negative rights delegation
what is your opinion ?
Abbrevations Used: DRPS = Delegation Role Policy Set, DPPPS = Delegation
Positive Permission Policy Set, DNPPS = Delegation Negative Permission
Policy Set.
<PolicySet PolicySetId="DRPS:Role_A" Combining Algorithm = "deny-overrides">
<Target>
<Subjects> <AnySubject/> </Subjects>
<Resources> <AnyResource/> </Resources>
<Actions> <AnyAction/> </Actions>
<Delegate>
<DelegateMatch MatchId="string-equal">
<AttributeValue DataType="string"> Role_A</AttributeValue>
<DelegateAttributeDesignator AttributeId="role"
DataType="string"/>
</DelegateMatch>
</Delegate>
</Target>
<PolicySetIdReference>DNPPS:Role_A</PolicySetIdReference>
<PolicySet PolicySetId="DPPPS:for:Role_A" Combining Algorithm =
"permit-overrides">
<PolicySetIdReference>DPPPS:Role_A</PolicySetIdReference>
<PolicySetIdReference>DenyPolicy</PolicySetIdReference>
</PolicySet>
</PolicySet>
The over all mechanism of the above policy is as follows:
1. DRPS contains references to two policies DPPPS:Role_A and DNPPS:Role_A
which represents the negative and positive delegation permission policy set
respectively.
2. A gerneral DenyPolicy is given, such that if non of the policy is
applicable from the DPPPS:Role_A, then a gerernal DenyPolicy will be
applicable.
3. The combining Algorithm (top most "Deny-overrides") are structured in
such a way that DNPPS:Role_A will always have precedence.
4. The Permisson Policy Set either positve or negative will contain the
respective definitions of the permissions.
I hope i was able to convey my Idea,
regards,
Muhammad.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]