Re: [xacml-users] XACML Samples

[Mahdi Mankai <manm08@uqo.ca>]

I don't know if you're understanding me?
Suppose that example:
A guard or director  can open a door anytime he wants.
The door should be locked to all employees between 6pm and 6am.
if the guard wants to open the door by night he couldn't if  we have 
deny overrides. And a director can open it if we have permit overrides.
But in an enterprise we should know about these situations ans detect 
them because it could be critical especially in complex policies where 
these kind of situations are less obvious.
What I want to verify is not the language it self but the policies.

Kuketayev, Argyn wrote:

>  
>
>>-----Original Message-----
>>From: Mahdi Mankai [mailto:manm08@uqo.ca] 
>>Sent: Tuesday, October 12, 2004 4:01 PM
>>To: xacml-users@lists.oasis-open.org
>>Subject: Re: [xacml-users] XACML Samples
>>    
>>
>
>[skip]
>
>  
>
>>Example: if a rule allow me to access to a resource and 
>>another one deny me. Combining algorithms resolve this kind 
>>of problems but it could be a 
>>source of conflict with unsuitable access rights.
>>    
>>
>
>I'm addressing this problem with "unit tests". I write lots of tests to
>check that rights are granted properly.
>
>For example, there's a set of tests for Module1 resources which should
>all grant access. I call them "normal scenarios". Basically, my code
>asks to execute different actions on different resources on behalf of a
>subject, which should be granted these rights.
>
>Then there's "exception scenarios", where "improper subject" asks the
>same rights. In this case the requests must be denied. 
>
>Whenever there's any change in policies, all these tests must be
>executed successfully. I don't there's a better way to achieve your
>objectives.
>
>Thanks,
>
>Argyn
>
>  
>

-- 
Mahdi MANKAI
Master Student
Université du Québec en Outaouais
Local B-2003
Tel. (819) 595 3900 Ext. 1705