[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] RBAC Profile for XACML
your RPS looks a little unusual to me. MY RPSs have only one function, which is to reference appropriate PPS. As such they have only the target (to identify who's assigned this role) and policyset reference to PPS. In your case you have also PolicySet element within RPS. Please, read the latest RBAC profile doc ch. 1.5 paragraph 1. This is the excerpt from the doc: === 1. Role <PolicySet> or RPS : a <PolicySet> that associates holders of a given role attribute and value with a Permission <PolicySet> that contains the actual permissions associated with the given role. The <Target> element of a Role <PolicySet> limits the applicability of the <PolicySet> to subjects holding the associated role attribute and value. Each Role <PolicySet> references a single corresponding Permission <PolicySet> but does not contain or reference any other <Policy> or <PolicySet> elements. === Your RPS doesn't comply with this. Look at the sample RPS and PPS in the doc. Thanks, argyn > -----Original Message----- > From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] > Sent: Thursday, June 09, 2005 3:56 AM > To: Seth Proctor; xacml-dev@lists.oasis-open.org; > sunxacml-discuss@lists.sourceforge.net; > xacml-users@lists.oasis-open.org > Cc: Seth Proctor > Subject: [xacml-dev] RBAC Profile for XACML > > > Hi Seth and all, > > i am stuck again into XACML profile for RBAC. > > According to RBAC, we have RPS (Role Policy Set) and PPPS > (Permission > Policy Set) Where, RPS contains the role definition (RoleName) and > references to PPPS and PPPS contains the actual permission > with a rule (if > any). > Now considor i have a Role A , which have two permissions > associated with > it, one is Positive Permission Policy Set(PPPS) and one is > NegativePermission Policy Set (NPPS). > > The structure of the Role Policy set is (as you described in > one of your > email is ),this is some simplified XACML. > > > <PolicySet PolicySetId="RPS:RoleA" Combining Algorithm = > "deny-overrides"> > > <PolicySet Combining Algorithm = "permit-overrides"> > > > <PolicySetIdReference>PPPS:RoleA</PolicySetIdReference> > > > <PolicySetIdReference>DenyPolicy</PolicySetIdReference> > > </PolicySet> > > > <Target> > > Role Definition > > </Target> > > > <PolicySetIdReference>NPPS:RoleA</PolicySetIdReference> > > > </PolicySet> > > > now considor RoleA inherits from RoleB some permissions , > there fore, the > PPPS:RoleA will contains a reference to the PPPS of RoleB > (i.e. PPPS:RoleB). if generally, there is no rule applicable > to RoleA in the PPPS of RoleB, a > general "DenyPolicy" (from the Role Policy Set) will be > applicable which is > not a right behaviour, since RoleA inherits from RoleB, and > if there is no > rule applicable in the inherited Role permission policy set > (PPPS:RoleB), it > shall give permit (if NPPS:RoleA is not applicable or gives true). > > > am i right ?? > if yes, what can be the other solutions. > > > regards > Muhammad. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]