Subject: RBAC Profile for XACML
Hi Seth and all, i am stuck again into XACML profile for RBAC. According to RBAC, we have RPS (Role Policy Set) and PPPS (Permission Policy Set) Where, RPS contains the role definition (RoleName) and references to PPPS and PPPS contains the actual permission with a rule (if any). Now considor i have a Role A , which have two permissions associated with it, one is Positive Permission Policy Set(PPPS) and one is NegativePermission Policy Set (NPPS). The structure of the Role Policy set is (as you described in one of your email is ),this is some simplified XACML. <PolicySet PolicySetId="RPS:RoleA" Combining Algorithm = "deny-overrides"> <PolicySet Combining Algorithm = "permit-overrides"> <PolicySetIdReference>PPPS:RoleA</PolicySetIdReference> <PolicySetIdReference>DenyPolicy</PolicySetIdReference> </PolicySet> <Target> Role Definition </Target> <PolicySetIdReference>NPPS:RoleA</PolicySetIdReference> </PolicySet> now considor RoleA inherits from RoleB some permissions , there fore, the PPPS:RoleA will contains a reference to the PPPS of RoleB (i.e. PPPS:RoleB). if generally, there is no rule applicable to RoleA in the PPPS of RoleB, a general "DenyPolicy" (from the Role Policy Set) will be applicable which is not a right behaviour, since RoleA inherits from RoleB, and if there is no rule applicable in the inherited Role permission policy set (PPPS:RoleB), it shall give permit (if NPPS:RoleA is not applicable or gives true). am i right ?? if yes, what can be the other solutions. regards Muhammad.