[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Static constraints and dynamic constraints in XACML RBACProfile
Dear all: I am doing some work about conrrespondence between RBAC and XACML. I have read XACML profile for RBAC. what I am going to ask is that about static constraints and dynamic constraints in this profile. Mr anderson said separation of duty can be implemented by using of Separation of Duty<PolicySet> and Role assignment<PolicySet>. there are three example code in profile1.0 some people said those policyset will help us to solve Static Separation of Duty, but some others said it can solve Dynamic Separation of Duty. In my opinion, those policy can help us solve dynamic separation of duty indirectly. because Role Assignment(Enablement) Authority use those policy to prevent users maynot hold imcopatible roles at a time an access is requested. for Static Separation of Duty, we should have a policy or policy set stating that a user must not hold imcompatible roles beforehand. we may state this constraints in role's PPS by adding <condition> element as Mr anderson said. for role cardinality constraints, we should explictly state in Role Assignment<policyset> or role's PPS that the maximum number of users for a specific role. I am wondering if we can add the number constraints in the subject attribute part of RPS to do this. my partner also said that static separation of duty is administration RBAC of XACML. the policy writer should prevent writing policies that against the business logil. For example, he or she doesn't write policies that a user John both can be assigned to roles of Employee and Contractor and doesn't write policies to state that 3 different people can have manager role when the manager role should have the maximum cardinality of 2. Is that make sense?
--- Begin Message ---
- From: <nur@math.pku.edu.cn>
- To: xacml-comment-help@lists.oasis-open.org
- Date: Sat, 11 Jun 2005 16:29:08 +0800
Dear all: I am doing some work about conrrespondence between RBAC and XACML. I have read XACML profile for RBAC. what I am going to ask is that about static constraints and dynamic constraints in this profile. Mr anderson said separation of duty can be implemented by using of Separation of Duty<PolicySet> and Role assignment<PolicySet>. there are three example code in profile1.0 some people said those policyset will help us to solve Static Separation of Duty, but some others said it can solve Dynamic Separation of Duty. In my opinion, those policy can help us solve dynamic separation of duty indirectly. because Role Assignment(Enablement) Authority use those policy to prevent users maynot hold imcopatible roles at a time an access is requested. for Static Separation of Duty, we should have a policy or policy set stating that a user must not hold imcompatible roles beforehand. we may state this constraints in role's PPS by adding <condition> element as Mr anderson said. for role cardinality constraints, we should explictly state in Role Assignment<policyset> or role's PPS that the maximum number of users for a specific role. I am wondering if we can add the number constraints in the subject attribute part of RPS to do this. my partner also said that static separation of duty is administration RBAC of XACML. the policy writer should prevent writing policies that against the business logil. For example, he or she doesn't write policies that a user John both can be assigned to roles of Employee and Contractor and doesn't write policies to state that 3 different people can have manager role when the manager role should have the maximum cardinality of 2. Is that make sense?--- End Message ---
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]