xacml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Questions about RBAC profile of XACML
- From: romain guignard <rom1.guignard@gmail.com>
- To: xacml-dev@lists.oasis-open.org
- Date: Fri, 19 Aug 2011 11:09:43 +0200
Hi all
I currently working with XACML for demonstration purpose and more exactly with the RBAC profile of XACML.
In our use case, we have to write some rules in function of users role and other attributes. For the moment, we uses the RBAC profile for the elaboration of policies (one PPS and RPS for each role).
The RBAC profile is only use in order to have a hiearchy between roles.
In our case, rules are not only in function of user roles. This means that we have to write some rules that say for example :
In order to perform an action on a resource, you need to be a "Manager" (subject-role) OR to be an "Employee" (subject-role) AND to be located at "Paris" (subject-localisation). Moreover, I have a role hiearchy that describes for example that the role "BOSS" is superior to role "Manager".
In this case, only "Manager" and "Boss" can perform the action, while "Employees" need to be located to Paris.
In order to write this rule with the RBAC profile, I need to add two rules. One in the PPS for Manager and another in the Employee PPS where I need to add an additional condition for location.
In my opinion, the RBAC profile can be very difficult to manage in the case where you have many roles with a hiearchy and when your rules are not only role-centric.
I would like to know if some of you uses this profile? Have you ever encountered this kind of rules?
Is it possible to implement notion of role hiearchy with ABAC policies ?
For example, would it be possible to have a particular attribute finder that was in charge of :
1 - Retrieve users roles
2 - Retrieve role hiearchy (roreover, hiearchy could be declared in another Role Management system)
3 - Return a bag that contains all the role junior to user role
With this implementation, it would be possible to have a condition rule :
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">supervisor</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="subject-role-hiearchy-bag" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="subject-role-hiearchy-bag" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Paris</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="localisation" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
I hope I was clear in my description.
Thanks for you time.
Romain
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]