OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] One suggestion regarding Negative Delegation

Yes, this policy should work and is supported by the current draft for
the profile.

Erik

Muhammad Masoom Alam wrote:

> Dear Erik,
>
>
> In the following i am giving my suggestion for negative rights
> delegation what is your opinion ?
>
>
> Abbrevations Used:  DRPS = Delegation Role Policy Set, DPPPS =
> Delegation Positive Permission Policy Set, DNPPS = Delegation Negative
> Permission Policy Set.
>
> <PolicySet PolicySetId="DRPS:Role_A" Combining Algorithm =
> "deny-overrides">
>    <Target>
>        <Subjects> <AnySubject/> </Subjects>
>        <Resources> <AnyResource/> </Resources>
>        <Actions> <AnyAction/> </Actions>
>        <Delegate>
>            <DelegateMatch MatchId="string-equal">
>                <AttributeValue DataType="string"> 
> Role_A</AttributeValue>
>                <DelegateAttributeDesignator AttributeId="role"
> DataType="string"/>
>            </DelegateMatch>
>        </Delegate>
>    </Target>
>    <PolicySetIdReference>DNPPS:Role_A</PolicySetIdReference>
>    <PolicySet PolicySetId="DPPPS:for:Role_A" Combining Algorithm =
> "permit-overrides">
>            <PolicySetIdReference>DPPPS:Role_A</PolicySetIdReference>
>            <PolicySetIdReference>DenyPolicy</PolicySetIdReference>
>    </PolicySet>
> </PolicySet>
>
>
> The over all mechanism of the above policy is as follows:
>
>  1. DRPS contains references to two policies DPPPS:Role_A and
> DNPPS:Role_A which represents the negative and positive delegation
> permission policy set respectively.
>   2. A gerneral DenyPolicy is given, such that if non of the policy is
> applicable from the DPPPS:Role_A, then a gerernal DenyPolicy will be
> applicable.
>   3. The combining Algorithm (top most "Deny-overrides") are
> structured in such a way that DNPPS:Role_A will always have precedence.
>   4. The Permisson Policy Set either positve or negative will contain
> the respective definitions of the permissions.
>
>
> I hope i was able to convey my Idea,
>
> regards,
> Muhammad.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]