[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Static constraints and dynamic constraints in XACMLRBAC Profile
Hi, It is certainly possible to create an XACML Attribute that will contain the value "number of users currently holding role X". Your XACML Context Handler would need to know how to figure out or look up the number of users currently holding the role and feed that value to the XACML PDP when asked. In the sunxacml implementation you could write a new AttributeFinder module that would know how to look up this value. Alternatively, you could create an XACML Attribute that will contain the "identities of users currently holding role X", and then use the XACML "<type>-bag-size" function to give you the number of users in this bag of values. Again, however, your Context Handler will have to know how to figure out or look up the list of users currently holding the role and feed that value to the XACML PDP when asked. Anne Anderson nur maimait wrote: > Dear all: > > I am doing some work about conrrespondence between RBAC and XACML. > I have read XACML profile for RBAC. > what I am going to ask is that about static constraints and dynamic > constraints in this profile. > > Mr anderson said separation of duty can be implemented by using of > Separation of Duty<PolicySet> and Role assignment<PolicySet>. there are > three example code in profile1.0 > > some people said those policyset will help us to solve Static > Separation of Duty, but some others said it can solve Dynamic > Separation of Duty. > > In my opinion, those policy can help us solve dynamic separation of > duty indirectly. because Role Assignment(Enablement) Authority use > those policy to prevent users maynot hold imcopatible roles at a time > an access is requested. > > for Static Separation of Duty, we should have a policy or policy set > stating that a user must not hold imcompatible roles beforehand. we may > state this constraints in role's PPS by adding <condition> element as > Mr anderson said. for role cardinality constraints, we should explictly > state in Role Assignment<policyset> or role's PPS that the maximum > number of users for a specific role. I am wondering if we can add the > number constraints in the subject attribute part of RPS to do this. > > my partner also said that static separation of duty is administration > RBAC of XACML. the policy writer should prevent writing policies that > against the business logil. For example, he or she doesn't write > policies that a user John both can be assigned to roles of Employee and > Contractor and doesn't write policies to state that 3 different people > can have manager role when the manager role should have the maximum > cardinality of 2. > > > Is that make sense? > > > > > > > > > ------------------------------------------------------------------------ > > Subject: > Static constraints and dynamic constraints in XACML RBAC Profile > From: > nur@math.pku.edu.cn > Date: > Sat, 11 Jun 2005 16:29:08 +0800 > To: > xacml-comment-help@lists.oasis-open.org > > > Dear all: > > I am doing some work about conrrespondence between RBAC and XACML. > I have read XACML profile for RBAC. > what I am going to ask is that about static constraints and dynamic > constraints in this profile. > > Mr anderson said separation of duty can be implemented by using of > Separation of Duty<PolicySet> and Role assignment<PolicySet>. there are > three example code in profile1.0 > > some people said those policyset will help us to solve Static > Separation of Duty, but some others said it can solve Dynamic > Separation of Duty. > > In my opinion, those policy can help us solve dynamic separation of > duty indirectly. because Role Assignment(Enablement) Authority use > those policy to prevent users maynot hold imcopatible roles at a time > an access is requested. > > for Static Separation of Duty, we should have a policy or policy set > stating that a user must not hold imcompatible roles beforehand. we may > state this constraints in role's PPS by adding <condition> element as > Mr anderson said. for role cardinality constraints, we should explictly > state in Role Assignment<policyset> or role's PPS that the maximum > number of users for a specific role. I am wondering if we can add the > number constraints in the subject attribute part of RPS to do this. > > my partner also said that static separation of duty is administration > RBAC of XACML. the policy writer should prevent writing policies that > against the business logil. For example, he or she doesn't write > policies that a user John both can be assigned to roles of Employee and > Contractor and doesn't write policies to state that 3 different people > can have manager role when the manager role should have the maximum > cardinality of 2. > > > Is that make sense? > > > > > > > > > ------------------------------------------------------------------------ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]