OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example)


> -----Original Message-----
> From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] 
> Sent: Thursday, June 09, 2005 1:18 PM
> To: Kuketayev, Argyn (Contractor); xacml-users@lists.oasis-open.org
> Cc: Seth Proctor; Anne.Anderson@sun.com
> Subject: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example)
> Dear Argyn,Anne, Seth,
> you are not getting my point at all


>, the thing is that 
> negative permissions 
> or policies are not a problem at all, the problem is the 
> inheritence of the 
> constraints , i.e. if a constraint is specified for a junior 
> role, does this 
> apply to the senior role as well or not ??

I think that the issue is that you are trying to put a "constraint" in
PPS, which is effectively tied to a role. I think that it's "slightly"
incompatible with RBAC profile. Why? Look at the ch. 1.5, paragraph 2,
here's excerpt:

The <Target> element of a Permission <PolicySet>, if present,
must not limit the subjects to which the <PolicySet> is applicable.

Ok, you are not putting this "constraint" into the target, but still
your PPS indirectly refers to the subject's role, i.e. limits the
applicable subjects similarly as if it were in the target. I think that
one should avoid this type of conditions in PPS.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]