OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Addendum: Re: Hierarchical resources policy and request file


I omitted your "ABC-Read" roles from my examples by mistake.  The 
simplest, if you really want to use "role" IDs like "ABC-Read", would be 
to define the value of the "resource-id" in the Request as the requested 
"role" - i.e. if the Subject wants to "read" company "ABC", then the 
resource-id will be "ABC-read".  Assume the subsidiaries of ABC are DEF 
and GHI.  The Context Handler then returns "ABC-read", "DEF-read", and 
"GHI-read" when asked for the AttributeId 
"...:resource-ancestor-or-self" if the "...:resource-id" is "ABC-read".

I tried to stay close to what you actually asked for, but I don't think 
what you described would be very useful.  You probably want to control 
access to resources at a company and its subsidiaries, not "reading" the 
company itself.  If so, then you might want to use the Role Based Access 
Control Profile 
and have Subject role values that correspond to the highest level 
*company* to which the Subject belongs.  Then use Hierarchical 
Permission <PolicySet>s to give a Subject in each role appropriate 
action-id and resource-id rights.  Don't mix action-id and resource-id 
into the role value itself.


dhirendra sharma wrote:

> Hi,
>   We need to specify the policy for the below :
> 	1). A user should be able to "read"  a compnay 
> (Example: ABC Inc) provided
> 		 he has - "ABC-Read" role and should have "ABC Inc"
> as the company attribute value in his profile
> 	2). A user should be able to "read" a company
> (Example: ABC ) and any its of subsidiaries provided
> 		 he has - "ABC-Read" role and should have "ABC Inc"
> or any of its subsidiaries as the 
> 		company attribute value in his profile
> 	The request could be made giving company id which
> could fall anywhere in the subsidiary hierarchy and we
> need to get a response 
> whether user is authorized or not.
> 	Can someone suggest - policy file  and request XML
> for this ?
> Thanks,
> Dhirendra Sharma
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the 
> XACML OASIS Standard. To minimize spam in the archives, you 
> must subscribe before posting.
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/

Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]