OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Access time constraints implementation

I need to implement the following feature: deny access to certain
feautures of the system to users (based on their RBAC role) at certain

For example, the system should not allow updated of objects of type A to
users with a role ADMIN from July 1 to July 15. There could be several
rules like that for different roles, objects and times.

I have implemented RBAC profile, so theoretically I can add these rules
into my PPS (permission policy set). I'd prefer not to do it, because
RBAC policy sets are very important and require thorough tests. If I
change something there, then the testing is time consuming. Also, these
policies are pretty static, there were no changes for several months. In
contrast, time constraints are dynamic. They can change several times
during one quarter. Therefore, I don't want to mix in "dynamic" rules
and "static" ones.

I was thinking about the following solution, and need an
advice/critique. My current RBAC PDP brings in the policy set with all
applicable policies, then evaluates it against the request. I'll add a
special policy with "dynamic" time constraints. It will contain a set of
"deny" rules to block access to certain features of the system. My new
PDP will create a "wrapper" policy set, which will contain this special
policy and the "old" policy set with "deny-overrides" policy combying


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]