Re: Addendum: Re: Hierarchical resources policy and request file

[dhirendra sharma <dhirendra_sh@yahoo.com>]

Hi Anne,

I am using Sun's XACML 1.1 Implementation. 
Hierarchical resource profile, I believe is part of
XACML 2.0 implenmentation.
Will your solution work with XACML 1.1 implementation
?

Do you strongly recommend me using XACML 2.0 ?

I still writing an alternative way in a notepad.I will
send once i have it thought through.

Thanks,
Dhirendra Sharma



--- Anne Anderson <Anne.Anderson@sun.com> wrote:

> Dhirendra,
> 
> I omitted your "ABC-Read" roles from my examples by
> mistake.  The 
> simplest, if you really want to use "role" IDs like
> "ABC-Read", would be 
> to define the value of the "resource-id" in the
> Request as the requested 
> "role" - i.e. if the Subject wants to "read" company
> "ABC", then the 
> resource-id will be "ABC-read".  Assume the
> subsidiaries of ABC are DEF 
> and GHI.  The Context Handler then returns
> "ABC-read", "DEF-read", and 
> "GHI-read" when asked for the AttributeId 
> "...:resource-ancestor-or-self" if the
> "...:resource-id" is "ABC-read".
> 
> I tried to stay close to what you actually asked
> for, but I don't think 
> what you described would be very useful.  You
> probably want to control 
> access to resources at a company and its
> subsidiaries, not "reading" the 
> company itself.  If so, then you might want to use
> the Role Based Access 
> Control Profile 
>
(http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf),
> 
> and have Subject role values that correspond to the
> highest level 
> *company* to which the Subject belongs.  Then use
> Hierarchical 
> Permission <PolicySet>s to give a Subject in each
> role appropriate 
> action-id and resource-id rights.  Don't mix
> action-id and resource-id 
> into the role value itself.
> 
> Regards,
> Anne
> 
> dhirendra sharma wrote:
> 
> > Hi,
> > 
> >   We need to specify the policy for the below :
> > 	1). A user should be able to "read"  a compnay 
> > (Example: ABC Inc) provided
> > 		 he has - "ABC-Read" role and should have "ABC
> Inc"
> > as the company attribute value in his profile
> > 	
> > 	2). A user should be able to "read" a company
> > (Example: ABC ) and any its of subsidiaries
> provided
> > 		 he has - "ABC-Read" role and should have "ABC
> Inc"
> > or any of its subsidiaries as the 
> > 		company attribute value in his profile
> > 	
> > 	The request could be made giving company id which
> > could fall anywhere in the subsidiary hierarchy
> and we
> > need to get a response 
> > whether user is authorized or not.
> > 
> > 	Can someone suggest - policy file  and request
> XML
> > for this ?
> > 	
> > 
> > 
> > 
> > Thanks,
> > Dhirendra Sharma
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com 
> > 
> >
>
---------------------------------------------------------------------
> > This publicly archived list supports open
> discussion on using the 
> > XACML OASIS Standard. To minimize spam in the
> archives, you 
> > must subscribe before posting.
> > 
> > [Un]Subscribe/change address:
> http://www.oasis-open.org/mlmanage/
> > Alternately, using email:
> list-[un]subscribe@lists.oasis-open.org
> > List archives:
> http://lists.oasis-open.org/archives/xacml-users/
> > Committee homepage:
> http://www.oasis-open.org/committees/xacml/
> > List Guidelines:
> http://www.oasis-open.org/maillists/guidelines.php
> > Join OASIS: http://www.oasis-open.org/join/
> > 
> 
> -- 
> Anne H. Anderson               Anne.Anderson@sun.com
> Sun Microsystems Labs          1-781-442-0928
> Burlington, MA USA
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com