RE: [xacml-users] RE: latest !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example)

["Kuketayev, Argyn \(Contractor\)" <argyn_kuketayev@fanniemae.com>]

Muhammad

Can you give us a use case? What exactly you want to achieve?

> -----Original Message-----
> From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] 
> Sent: Thursday, June 09, 2005 1:43 PM
> To: Kuketayev, Argyn (Contractor); xacml-users@lists.oasis-open.org
> Cc: Anne.Anderson@sun.com
> Subject: Re: [xacml-users] RE: latest 
> !!!!!!!!!!!!!!!!!!!!!!!!!!! (with an example)
> 
> 

> 
> if we can specify a condition on date/time then we can 
> specify some other 
> condition as well.

True

> 
> if you say, that it is not the best place to specify it, plz 
> guide me where 
> i shall put constraints.

You can put date/time or any other constraint in PPS. Imho, the issue is
when you try to put a condition into PPS which is based on the subject's
role. Suppose, there's a role A, and this role has some date/time based
condition in the rule. In this case PPS for role A shouldn't be based on
a role attribute of the subject, like "for role A deny any action at day
time". The PPS should have something like "deny any action at day time".
If the subject has role A, then PDP will use RPS for role A to get to
PPS for role A, then this date/time based condition will be evaluated.

In this case, if you had a RPS for role B, which refers to PPS for role
A, the date/time based condition will still work. Unlike the condition
"for role A deny any action at day time", which won't work because the
subject doesn't have role A, it has role B.

Thanks,
Argyn