OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] XACML Samples

I'm not talking about "the language" itself. I'm proposing to develop a set of "unit" tests for your policies. The same way as we do jUnit tests for our Java applications. They are not to test Java language, they are to test correctness of our code.


> -----Original Message-----
> From: Mahdi Mankai [mailto:manm08@uqo.ca] 
> Sent: Tuesday, October 12, 2004 5:12 PM
> To: xacml-users@lists.oasis-open.org
> Subject: Re: [xacml-users] XACML Samples
> 
> 
> I don't know if you're understanding me?
> Suppose that example:
> A guard or director  can open a door anytime he wants.
> The door should be locked to all employees between 6pm and 
> 6am. if the guard wants to open the door by night he couldn't 
> if  we have 
> deny overrides. And a director can open it if we have permit 
> overrides. But in an enterprise we should know about these 
> situations ans detect 
> them because it could be critical especially in complex 
> policies where 
> these kind of situations are less obvious.
> What I want to verify is not the language it self but the policies.
> 
> Kuketayev, Argyn wrote:
> 
> >  
> >
> >>-----Original Message-----
> >>From: Mahdi Mankai [mailto:manm08@uqo.ca]
> >>Sent: Tuesday, October 12, 2004 4:01 PM
> >>To: xacml-users@lists.oasis-open.org
> >>Subject: Re: [xacml-users] XACML Samples
> >>    
> >>
> >
> >[skip]
> >
> >  
> >
> >>Example: if a rule allow me to access to a resource and
> >>another one deny me. Combining algorithms resolve this kind 
> >>of problems but it could be a 
> >>source of conflict with unsuitable access rights.
> >>    
> >>
> >
> >I'm addressing this problem with "unit tests". I write lots 
> of tests to 
> >check that rights are granted properly.
> >
> >For example, there's a set of tests for Module1 resources 
> which should 
> >all grant access. I call them "normal scenarios". Basically, my code 
> >asks to execute different actions on different resources on 
> behalf of a 
> >subject, which should be granted these rights.
> >
> >Then there's "exception scenarios", where "improper subject" 
> asks the 
> >same rights. In this case the requests must be denied.
> >
> >Whenever there's any change in policies, all these tests must be 
> >executed successfully. I don't there's a better way to achieve your 
> >objectives.
> >
> >Thanks,
> >
> >Argyn
> >
> >  
> >
> 
> -- 
> Mahdi MANKAI
> Master Student
> Université du Québec en Outaouais
> Local B-2003
> Tel. (819) 595 3900 Ext. 1705
> 
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]