OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: One suggestion regarding Negative Delegation

Dear Erik,

In the following i am giving my suggestion for negative rights delegation 
what is your opinion ?

Abbrevations Used:  DRPS = Delegation Role Policy Set, DPPPS = Delegation 
Positive Permission Policy Set, DNPPS = Delegation Negative Permission 
Policy Set.

<PolicySet PolicySetId="DRPS:Role_A" Combining Algorithm = "deny-overrides">
        <Subjects> <AnySubject/> </Subjects>
        <Resources> <AnyResource/> </Resources>
        <Actions> <AnyAction/> </Actions>
            <DelegateMatch MatchId="string-equal">
                <AttributeValue DataType="string">  Role_A</AttributeValue>
                <DelegateAttributeDesignator AttributeId="role" 
    <PolicySet PolicySetId="DPPPS:for:Role_A" Combining Algorithm = 

The over all mechanism of the above policy is as follows:

  1. DRPS contains references to two policies DPPPS:Role_A and DNPPS:Role_A 
which represents the negative and positive delegation permission policy set 
   2. A gerneral DenyPolicy is given, such that if non of the policy is 
applicable from the DPPPS:Role_A, then a gerernal DenyPolicy will be 
   3. The combining Algorithm (top most "Deny-overrides") are structured in 
such a way that DNPPS:Role_A will always have precedence.
   4. The Permisson Policy Set either positve or negative will contain the 
respective definitions of the permissions.

I hope i was able to convey my Idea,


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]