[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML Profile for RBAC
Hi Anne, (i just got your email while composing mine one, so , Deny Policy is not a problem at all, i can remove it, it was for to simpfly administration i.e. if non of the positive permissions return true, dont care about negative Policy sets ( and seth given this solution on the list). I remove my negative permission or general Deny Policy, but the problem is still not solved see this email please .) so let me tell you the background again. A seniour Role inherits a permission from Junior Role "without" the constraints which are specified for the Junior Role (unless explicitly specified). (This what i think uptil now) if we say " A seniour role inherits a permission from Junior Role "with" the constraints which are specified for the Junior Role, then for simple constraints e.g. Date, Time values, it makes sence, but it doesnot make sence for the constraints explictly specified only for the Junior Role. (Agreed ??) My Role Policy Set (Argyn , its the same as profile only a reference to negative policy is included plus a general Deny Policy to enforce the perority of Negative Permissions ok?) <PolicySet PolicySetId="RPS:managerRole" Combining Algorithm = "deny-overrides"> <PolicySet Combining Algorithm = "permit-overrides"> <PolicySetIdReference>PPPS:managerRole</PolicySetIdReference> <PolicySetIdReference>DenyPolicy</PolicySetIdReference> <!-- Think of it , that it is not present , we can remove it no problem at all--> </PolicySet> <Target> Role Definition </Target> <PolicySetIdReference>NPPS:managerRole</PolicySetIdReference> <!-- This is a Negative Permission Policy reference we can also remove it no problem at all--> </PolicySet> First Permission Policy set for managerRole <PolicySet PolicySetId="PPPS:managerRole" Combining Algorithm = "permit-overrides"> <Policy Combining Algorithm = "permit-overrides" PolicyId = "Permissions:for:Role:managerRole" <Rule Effect="Permit"> <Condition> A Simple Authorization Constraint based on time/date </Condition> </Rule> <PolicySetIdReference>PPPS:employeeRole</PolicySetIdReference> </PolicySet> 2nd PPS for employee: <PolicySet PolicySetId="PPPS:employeeRole" Combining Algorithm = "permit-overrides"> <Policy Combining Algorithm = "permit-overrides" PolicyId = "Permissions:for:Role:employeeRole" <Rule Effect="Permit"> <Condition> Complex Authorization Constraint based on some Attributes from Database for the Role Employee only. </Condition> </Rule> </PolicySet> Now , considor that, the Authorizaiton constraint specified in the "PPPS:employeeRole" is not a simple authorization constraint, i means which refers to some database values, for employeeRole only, now as there is no Target (stated by RBAC Profile) in line 194-197 what will be the result of this rule, as ManagerRole doesnot possess the attributes specfied in the Authorizaiton constraint of the "PPPS:EmployeeRole" , if the result is NotApplicable, the behaviour is not consistent with the Profile. If the result is not applicable : "Does we have to put some Rules again in the PPS (of the junior Role) to mention that if non of the rules are applicable then the result will be Permit (since seniour role inherits the permissions of the junior role" otherwise, if we dont put any rule explicitly, the problem that, there is a general DenyPolicy (see above RPS) in the RPS, which will make the whole result deny if the result is Deny/NotApplicable. My Propsed solution : e.g. <PolicySet PolicySetId="PPPS:employeeRole" Combining Algorithm = "permit-overrides"> <Policy Combining Algorithm = "permit-overrides" PolicyId = "Permissions:for:Role:employeeRole" <Rule id="1" Effect = "Permit"> <Target> Role Name (of the seniour Role e.g. ManagerRole) </Target> </Rule> <Rule id="2" Effect="Permit"> <Condition> Complex Authorization Constraint based on some Attributes from Database for the Role Employee only. </Condition> </Rule> </PolicySet> Now rule is for all the senior Roles, n Rule is only for Employee Role ?? make sence ?? regards Muhammad.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]