OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] solution !

Hi Muhammad

Constraints on role activation/availability have been discussed within the
RBAC research community.  Perhaps the most widely studied are temporal
constraints introduced by Bertino and her colleagues.

Elisa Bertino, Piero A. Bonatti, Elena Ferrari: TRBAC: A temporal role-based
access control model. ACM Trans. Inf. Syst. Secur. 4(3): 191-233 (2001)

James Joshi, Elisa Bertino, Usman Latif, Arif Ghafoor: A Generalized
Temporal Role-Based Access Control Model. IEEE Trans. Knowl. Data Eng.
17(1): 4-23 (2005).  

This is a temporal model for RBAC which restricts the use of roles to
certain times: the day_shift role can only be activated between the hours
09:00 and 18:00, for example.  Once such constraints are specified, problems
arise with the activation of more senior roles.  I believe the most relevant
problem, with respect to your queries over the last few days, is whether the
manager role, for example, inherits the permissions of the day_shift role
outside the hours 09:00-18:00.  There is no consensus within the academic
community on how these issues should be handled.  They are certainly not
covered in the current ANSI standard nor, by extension, in the XACML profile
for RBAC.

In short, you will have to find your own way to resolve these issues,
perhaps taking inspiration from one of the strategies for dealing with
(temporal) constraints on role usage suggested by Bertino et al.



Dr Jason Crampton
+44 (0)1784 443117
Information Security Group
Royal Holloway, University of London

-----Original Message-----
From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] 
Sent: 09 June 2005 19:38
To: Anne.Anderson@sun.com
Cc: xacml-users@lists.oasis-open.org
Subject: [xacml-users] solution !


My proposed solution makes sence because of

1. In order to preserve the Role hierarcy by means of Policy referencing. if

i put

<Rule Effect="Permit"/> in the PPS of the junior role with the attribute for

Role in the target, this make sence to me only with a problem that role will

again be specified in the target , altought i was specified with the RPS 
(senior role).
The problem for me is that does specifying the role again in the PPS makes 
the specification inconsistent ??

otherwise, your proposed solution does not really make sense at all to me

i means if i opt for your solution, then i lost the role hierarcy by means 
of policy referencing .

comments plz

P.S Thanks for valuable comments, this is realy eloborating the problem. I
am sure, we will find a solution for this problem.


To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]