[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Re: Addendum: Re: Hierarchical resources policy and request file
Hierarchical resource profile (non-XML), as it is specified, is just one example on how an attribute based policy target and inheritance may be structured. It will work with XACML 1.1. It covers one, fairly typical case for inheritance. As Anne suggested, there are many other way to structure your environment/resource attributes to allow other way to apply policy. Daniel; -----Original Message----- From: dhirendra sharma [mailto:email@example.com] Sent: Friday, June 30, 2006 8:07 AM To: Anne.Anderson@sun.com Cc: firstname.lastname@example.org Subject: [xacml-users] Re: Addendum: Re: Hierarchical resources policy and request file Hi Anne, I am using Sun's XACML 1.1 Implementation. Hierarchical resource profile, I believe is part of XACML 2.0 implenmentation. Will your solution work with XACML 1.1 implementation ? Do you strongly recommend me using XACML 2.0 ? I still writing an alternative way in a notepad.I will send once i have it thought through. Thanks, Dhirendra Sharma --- Anne Anderson <Anne.Anderson@sun.com> wrote: > Dhirendra, > > I omitted your "ABC-Read" roles from my examples by > mistake. The > simplest, if you really want to use "role" IDs like > "ABC-Read", would be > to define the value of the "resource-id" in the > Request as the requested > "role" - i.e. if the Subject wants to "read" company > "ABC", then the > resource-id will be "ABC-read". Assume the > subsidiaries of ABC are DEF > and GHI. The Context Handler then returns > "ABC-read", "DEF-read", and > "GHI-read" when asked for the AttributeId > "...:resource-ancestor-or-self" if the > "...:resource-id" is "ABC-read". > > I tried to stay close to what you actually asked > for, but I don't think > what you described would be very useful. You > probably want to control > access to resources at a company and its > subsidiaries, not "reading" the > company itself. If so, then you might want to use > the Role Based Access > Control Profile > (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-prof ile1-spec-os.pdf), > > and have Subject role values that correspond to the > highest level > *company* to which the Subject belongs. Then use > Hierarchical > Permission <PolicySet>s to give a Subject in each > role appropriate > action-id and resource-id rights. Don't mix > action-id and resource-id > into the role value itself. > > Regards, > Anne > > dhirendra sharma wrote: > > > Hi, > > > > We need to specify the policy for the below : > > 1). A user should be able to "read" a compnay > > (Example: ABC Inc) provided > > he has - "ABC-Read" role and should have "ABC > Inc" > > as the company attribute value in his profile > > > > 2). A user should be able to "read" a company > > (Example: ABC ) and any its of subsidiaries > provided > > he has - "ABC-Read" role and should have "ABC > Inc" > > or any of its subsidiaries as the > > company attribute value in his profile > > > > The request could be made giving company id which > > could fall anywhere in the subsidiary hierarchy > and we > > need to get a response > > whether user is authorized or not. > > > > Can someone suggest - policy file and request > XML > > for this ? > > > > > > > > > > Thanks, > > Dhirendra Sharma > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > > > --------------------------------------------------------------------- > > This publicly archived list supports open > discussion on using the > > XACML OASIS Standard. To minimize spam in the > archives, you > > must subscribe before posting. > > > > [Un]Subscribe/change address: > http://www.oasis-open.org/mlmanage/ > > Alternately, using email: > list-[un]email@example.com > > List archives: > http://lists.oasis-open.org/archives/xacml-users/ > > Committee homepage: > http://www.oasis-open.org/committees/xacml/ > > List Guidelines: > http://www.oasis-open.org/maillists/guidelines.php > > Join OASIS: http://www.oasis-open.org/join/ > > > > -- > Anne H. Anderson Anne.Anderson@sun.com > Sun Microsystems Labs 1-781-442-0928 > Burlington, MA USA > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- This publicly archived list supports open discussion on using the XACML OASIS Standard. To minimize spam in the archives, you must subscribe before posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ Alternately, using email: list-[un]firstname.lastname@example.org List archives: http://lists.oasis-open.org/archives/xacml-users/ Committee homepage: http://www.oasis-open.org/committees/xacml/ List Guidelines: http://www.oasis-open.org/maillists/guidelines.php Join OASIS: http://www.oasis-open.org/join/ _______________________________________________________________________ Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.