OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-dev] RBAC Profile for XACML


your RPS looks a little unusual to me. MY RPSs have only one function,
which is to reference appropriate PPS. As such they have only the target
(to identify who's assigned this role) and policyset reference to PPS.

In your case you have also PolicySet element within RPS. Please, read
the latest RBAC profile doc ch. 1.5 paragraph 1. This is the excerpt
from the doc:

===
1. Role <PolicySet> or RPS : a <PolicySet> that associates holders of a
given role attribute and
value with a Permission <PolicySet> that contains the actual permissions
associated with the given
role. The <Target> element of a Role <PolicySet> limits the
applicability of the <PolicySet>
to subjects holding the associated role attribute and value. Each Role
<PolicySet> references a
single corresponding Permission <PolicySet> but does not contain or
reference any other
<Policy> or <PolicySet> elements.
===

Your RPS doesn't comply with this. Look at the sample RPS and PPS in the
doc.

Thanks,
argyn



> -----Original Message-----
> From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] 
> Sent: Thursday, June 09, 2005 3:56 AM
> To: Seth Proctor; xacml-dev@lists.oasis-open.org; 
> sunxacml-discuss@lists.sourceforge.net; 
> xacml-users@lists.oasis-open.org
> Cc: Seth Proctor
> Subject: [xacml-dev] RBAC Profile for XACML
> 
> 
> Hi Seth and all,
> 
> i am stuck again into XACML profile for RBAC.
> 
>   According to RBAC, we have RPS (Role Policy Set) and PPPS 
> (Permission 
> Policy Set) Where, RPS contains the role definition (RoleName) and 
> references to PPPS and PPPS contains the actual permission 
> with a rule (if 
> any).
> Now considor i have a Role A , which have two permissions 
> associated with 
> it, one is Positive Permission Policy Set(PPPS) and one is 
> NegativePermission Policy Set (NPPS).
> 
> The structure of the Role Policy set is (as you described in 
> one of your 
> email is ),this is some simplified XACML.
> 
> 
>   <PolicySet PolicySetId="RPS:RoleA" Combining Algorithm = 
> "deny-overrides">
> 
>             <PolicySet Combining Algorithm = "permit-overrides">
> 
>                     
> <PolicySetIdReference>PPPS:RoleA</PolicySetIdReference>
> 
>                     
> <PolicySetIdReference>DenyPolicy</PolicySetIdReference>
> 
>             </PolicySet>
> 
> 
>             <Target>
> 
>                 Role Definition
> 
>             </Target>
> 
>                     
> <PolicySetIdReference>NPPS:RoleA</PolicySetIdReference>
> 
> 
> </PolicySet>
> 
> 
> now considor RoleA inherits from RoleB some  permissions , 
> there fore, the 
> PPPS:RoleA will contains a reference to the PPPS of RoleB 
> (i.e. PPPS:RoleB). if generally, there is no rule applicable 
> to RoleA in the PPPS of RoleB, a 
> general "DenyPolicy" (from the Role Policy Set) will be 
> applicable which is 
> not a right behaviour, since RoleA inherits from RoleB, and 
> if there is no 
> rule applicable in the inherited Role permission policy set 
> (PPPS:RoleB), it 
> shall give permit (if NPPS:RoleA is not applicable or gives true).
> 
> 
> am i right ??
> if yes, what can be the other solutions.
> 
> 
> regards
> Muhammad.
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
> 
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]