Addendum: Re: Hierarchical resources policy and request file

[Anne Anderson <Anne.Anderson@sun.com>]

Dhirendra,

I omitted your "ABC-Read" roles from my examples by mistake.  The 
simplest, if you really want to use "role" IDs like "ABC-Read", would be 
to define the value of the "resource-id" in the Request as the requested 
"role" - i.e. if the Subject wants to "read" company "ABC", then the 
resource-id will be "ABC-read".  Assume the subsidiaries of ABC are DEF 
and GHI.  The Context Handler then returns "ABC-read", "DEF-read", and 
"GHI-read" when asked for the AttributeId 
"...:resource-ancestor-or-self" if the "...:resource-id" is "ABC-read".

I tried to stay close to what you actually asked for, but I don't think 
what you described would be very useful.  You probably want to control 
access to resources at a company and its subsidiaries, not "reading" the 
company itself.  If so, then you might want to use the Role Based Access 
Control Profile 
(http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf), 
and have Subject role values that correspond to the highest level 
*company* to which the Subject belongs.  Then use Hierarchical 
Permission <PolicySet>s to give a Subject in each role appropriate 
action-id and resource-id rights.  Don't mix action-id and resource-id 
into the role value itself.

Regards,
Anne

dhirendra sharma wrote:

> Hi,
> 
>   We need to specify the policy for the below :
> 	1). A user should be able to "read"  a compnay 
> (Example: ABC Inc) provided
> 		 he has - "ABC-Read" role and should have "ABC Inc"
> as the company attribute value in his profile
> 	
> 	2). A user should be able to "read" a company
> (Example: ABC ) and any its of subsidiaries provided
> 		 he has - "ABC-Read" role and should have "ABC Inc"
> or any of its subsidiaries as the 
> 		company attribute value in his profile
> 	
> 	The request could be made giving company id which
> could fall anywhere in the subsidiary hierarchy and we
> need to get a response 
> whether user is authorized or not.
> 
> 	Can someone suggest - policy file  and request XML
> for this ?
> 	
> 
> 
> 
> Thanks,
> Dhirendra Sharma
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the 
> XACML OASIS Standard. To minimize spam in the archives, you 
> must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA