OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XACML Profile for RBAC

Hi Anne,
(i just got your email while composing mine one, so , Deny Policy is not a 
problem at all, i can remove it, it was for to simpfly administration i.e. 
if non of the positive permissions return true, dont care about negative 
Policy sets ( and seth given this solution on the list). I remove my 
negative permission or general Deny Policy, but the problem is still not 
solved see this email please .)


so let me tell you the background again.

  A seniour Role inherits a permission from Junior Role "without" the 
constraints which are specified for the Junior Role (unless explicitly 
specified). (This what i think uptil now)
if we say " A seniour role inherits a permission from Junior Role "with" the 
constraints which are specified for the Junior Role, then for simple 
constraints e.g. Date, Time values, it makes sence, but it doesnot make 
sence for the constraints explictly specified only for the Junior Role. 
(Agreed ??)
My Role Policy Set  (Argyn , its the same as profile only a reference to 
negative policy is included plus a general Deny Policy to enforce the 
perority of Negative Permissions ok?)

<PolicySet PolicySetId="RPS:managerRole" Combining Algorithm = 
"deny-overrides">
            <PolicySet Combining Algorithm = "permit-overrides">
                    <PolicySetIdReference>PPPS:managerRole</PolicySetIdReference>
                  <PolicySetIdReference>DenyPolicy</PolicySetIdReference> 
<!-- Think of it , that it is not present , we can remove it no problem at 
all-->
            </PolicySet>
           <Target>
                Role Definition
            </Target>
                    <PolicySetIdReference>NPPS:managerRole</PolicySetIdReference> 
<!-- This is a Negative Permission Policy reference we can also remove it no 
problem at all-->
 </PolicySet>


                                                        First Permission 
Policy set for managerRole

<PolicySet PolicySetId="PPPS:managerRole" Combining Algorithm = 
"permit-overrides">
    <Policy Combining Algorithm = "permit-overrides"  PolicyId = 
"Permissions:for:Role:managerRole"
            <Rule Effect="Permit">
                       <Condition>
                            A Simple Authorization Constraint based on 
time/date
                        </Condition>
                </Rule>
<PolicySetIdReference>PPPS:employeeRole</PolicySetIdReference>
</PolicySet>

                                                                2nd PPS for 
employee:

<PolicySet PolicySetId="PPPS:employeeRole" Combining Algorithm = 
"permit-overrides">
    <Policy Combining Algorithm = "permit-overrides"  PolicyId = 
"Permissions:for:Role:employeeRole"
            <Rule Effect="Permit">
                       <Condition>
                            Complex Authorization Constraint based on some 
Attributes from Database for the Role Employee only.
                        </Condition>
                </Rule>
 </PolicySet>

Now , considor that, the Authorizaiton constraint specified in the 
"PPPS:employeeRole" is not a simple authorization constraint, i means which 
refers to some database values, for employeeRole only, now as there is no 
Target (stated by RBAC Profile) in line 194-197
 what will be the result of this rule, as ManagerRole doesnot possess the 
attributes specfied in the Authorizaiton constraint of the 
"PPPS:EmployeeRole" , if the result  is NotApplicable,  the behaviour is not 
consistent with the Profile.
If the result is not applicable : "Does we have to put some Rules again in 
the PPS  (of the junior Role) to mention that if non of the rules are 
applicable then the result will be Permit (since seniour role inherits the 
permissions of the junior role" otherwise, if we dont put any rule 
explicitly, the problem  that, there is a general DenyPolicy (see above RPS) 
in the RPS, which will make the whole result deny if the result is 
Deny/NotApplicable.

                                                                             
            My Propsed solution :


e.g.
<PolicySet PolicySetId="PPPS:employeeRole" Combining Algorithm = 
"permit-overrides">
    <Policy Combining Algorithm = "permit-overrides"  PolicyId = 
"Permissions:for:Role:employeeRole"
    <Rule id="1" Effect = "Permit">
     <Target>
             Role Name (of the seniour Role e.g. ManagerRole)
      </Target>
    </Rule>
            <Rule id="2" Effect="Permit">
                       <Condition>
                           Complex Authorization Constraint based on some 
Attributes from Database for the Role Employee only.
                        </Condition>
                </Rule>
</PolicySet>



Now rule is for all the senior Roles, n Rule is only for Employee Role ??

make sence ??

regards
Muhammad.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]