[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Addendum: Re: Hierarchical resources policy and request file
Dhirendra, I omitted your "ABC-Read" roles from my examples by mistake. The simplest, if you really want to use "role" IDs like "ABC-Read", would be to define the value of the "resource-id" in the Request as the requested "role" - i.e. if the Subject wants to "read" company "ABC", then the resource-id will be "ABC-read". Assume the subsidiaries of ABC are DEF and GHI. The Context Handler then returns "ABC-read", "DEF-read", and "GHI-read" when asked for the AttributeId "...:resource-ancestor-or-self" if the "...:resource-id" is "ABC-read". I tried to stay close to what you actually asked for, but I don't think what you described would be very useful. You probably want to control access to resources at a company and its subsidiaries, not "reading" the company itself. If so, then you might want to use the Role Based Access Control Profile (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf), and have Subject role values that correspond to the highest level *company* to which the Subject belongs. Then use Hierarchical Permission <PolicySet>s to give a Subject in each role appropriate action-id and resource-id rights. Don't mix action-id and resource-id into the role value itself. Regards, Anne dhirendra sharma wrote: > Hi, > > We need to specify the policy for the below : > 1). A user should be able to "read" a compnay > (Example: ABC Inc) provided > he has - "ABC-Read" role and should have "ABC Inc" > as the company attribute value in his profile > > 2). A user should be able to "read" a company > (Example: ABC ) and any its of subsidiaries provided > he has - "ABC-Read" role and should have "ABC Inc" > or any of its subsidiaries as the > company attribute value in his profile > > The request could be made giving company id which > could fall anywhere in the subsidiary hierarchy and we > need to get a response > whether user is authorized or not. > > Can someone suggest - policy file and request XML > for this ? > > > > > Thanks, > Dhirendra Sharma > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on using the > XACML OASIS Standard. To minimize spam in the archives, you > must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]subscribe@lists.oasis-open.org > List archives: http://lists.oasis-open.org/archives/xacml-users/ > Committee homepage: http://www.oasis-open.org/committees/xacml/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]