[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] solution !
Hi Muhammad Constraints on role activation/availability have been discussed within the RBAC research community. Perhaps the most widely studied are temporal constraints introduced by Bertino and her colleagues. Elisa Bertino, Piero A. Bonatti, Elena Ferrari: TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3): 191-233 (2001) James Joshi, Elisa Bertino, Usman Latif, Arif Ghafoor: A Generalized Temporal Role-Based Access Control Model. IEEE Trans. Knowl. Data Eng. 17(1): 4-23 (2005). This is a temporal model for RBAC which restricts the use of roles to certain times: the day_shift role can only be activated between the hours 09:00 and 18:00, for example. Once such constraints are specified, problems arise with the activation of more senior roles. I believe the most relevant problem, with respect to your queries over the last few days, is whether the manager role, for example, inherits the permissions of the day_shift role outside the hours 09:00-18:00. There is no consensus within the academic community on how these issues should be handled. They are certainly not covered in the current ANSI standard nor, by extension, in the XACML profile for RBAC. In short, you will have to find your own way to resolve these issues, perhaps taking inspiration from one of the strategies for dealing with (temporal) constraints on role usage suggested by Bertino et al. Regards Jason ------------------------------------ Dr Jason Crampton jason.crampton@rhul.ac.uk www.isg.rhul.ac.uk/~jason +44 (0)1784 443117 ==================================== Information Security Group Royal Holloway, University of London ------------------------------------ -----Original Message----- From: Muhammad Masoom Alam [mailto:Muhammad.alam@uibk.ac.at] Sent: 09 June 2005 19:38 To: Anne.Anderson@sun.com Cc: xacml-users@lists.oasis-open.org Subject: [xacml-users] solution ! Anne, My proposed solution makes sence because of 1. In order to preserve the Role hierarcy by means of Policy referencing. if i put <Rule Effect="Permit"/> in the PPS of the junior role with the attribute for Role in the target, this make sence to me only with a problem that role will again be specified in the target , altought i was specified with the RPS (senior role). The problem for me is that does specifying the role again in the PPS makes the specification inconsistent ?? otherwise, your proposed solution does not really make sense at all to me i means if i opt for your solution, then i lost the role hierarcy by means of policy referencing . comments plz P.S Thanks for valuable comments, this is realy eloborating the problem. I am sure, we will find a solution for this problem. regards Muhammad. --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]