OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-users] Re: Addendum: Re: Hierarchical resources policy and request file


Hierarchical resource profile (non-XML), as it is specified, is just one
example on how an attribute based policy target and inheritance may be
structured.  It will work with XACML 1.1.  It covers one, fairly typical
case for inheritance.  As Anne suggested, there are many other way to
structure your environment/resource attributes to allow other way to
apply policy.

Daniel;

-----Original Message-----
From: dhirendra sharma [mailto:dhirendra_sh@yahoo.com] 
Sent: Friday, June 30, 2006 8:07 AM
To: Anne.Anderson@sun.com
Cc: xacml-users@lists.oasis-open.org
Subject: [xacml-users] Re: Addendum: Re: Hierarchical resources policy
and request file

Hi Anne,

I am using Sun's XACML 1.1 Implementation. 
Hierarchical resource profile, I believe is part of
XACML 2.0 implenmentation.
Will your solution work with XACML 1.1 implementation
?

Do you strongly recommend me using XACML 2.0 ?

I still writing an alternative way in a notepad.I will
send once i have it thought through.

Thanks,
Dhirendra Sharma



--- Anne Anderson <Anne.Anderson@sun.com> wrote:

> Dhirendra,
> 
> I omitted your "ABC-Read" roles from my examples by
> mistake.  The 
> simplest, if you really want to use "role" IDs like
> "ABC-Read", would be 
> to define the value of the "resource-id" in the
> Request as the requested 
> "role" - i.e. if the Subject wants to "read" company
> "ABC", then the 
> resource-id will be "ABC-read".  Assume the
> subsidiaries of ABC are DEF 
> and GHI.  The Context Handler then returns
> "ABC-read", "DEF-read", and 
> "GHI-read" when asked for the AttributeId 
> "...:resource-ancestor-or-self" if the
> "...:resource-id" is "ABC-read".
> 
> I tried to stay close to what you actually asked
> for, but I don't think 
> what you described would be very useful.  You
> probably want to control 
> access to resources at a company and its
> subsidiaries, not "reading" the 
> company itself.  If so, then you might want to use
> the Role Based Access 
> Control Profile 
>
(http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-prof
ile1-spec-os.pdf),
> 
> and have Subject role values that correspond to the
> highest level 
> *company* to which the Subject belongs.  Then use
> Hierarchical 
> Permission <PolicySet>s to give a Subject in each
> role appropriate 
> action-id and resource-id rights.  Don't mix
> action-id and resource-id 
> into the role value itself.
> 
> Regards,
> Anne
> 
> dhirendra sharma wrote:
> 
> > Hi,
> > 
> >   We need to specify the policy for the below :
> > 	1). A user should be able to "read"  a compnay 
> > (Example: ABC Inc) provided
> > 		 he has - "ABC-Read" role and should have "ABC
> Inc"
> > as the company attribute value in his profile
> > 	
> > 	2). A user should be able to "read" a company
> > (Example: ABC ) and any its of subsidiaries
> provided
> > 		 he has - "ABC-Read" role and should have "ABC
> Inc"
> > or any of its subsidiaries as the 
> > 		company attribute value in his profile
> > 	
> > 	The request could be made giving company id which
> > could fall anywhere in the subsidiary hierarchy
> and we
> > need to get a response 
> > whether user is authorized or not.
> > 
> > 	Can someone suggest - policy file  and request
> XML
> > for this ?
> > 	
> > 
> > 
> > 
> > Thanks,
> > Dhirendra Sharma
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com 
> > 
> >
>
---------------------------------------------------------------------
> > This publicly archived list supports open
> discussion on using the 
> > XACML OASIS Standard. To minimize spam in the
> archives, you 
> > must subscribe before posting.
> > 
> > [Un]Subscribe/change address:
> http://www.oasis-open.org/mlmanage/
> > Alternately, using email:
> list-[un]subscribe@lists.oasis-open.org
> > List archives:
> http://lists.oasis-open.org/archives/xacml-users/
> > Committee homepage:
> http://www.oasis-open.org/committees/xacml/
> > List Guidelines:
> http://www.oasis-open.org/maillists/guidelines.php
> > Join OASIS: http://www.oasis-open.org/join/
> > 
> 
> -- 
> Anne H. Anderson               Anne.Anderson@sun.com
> Sun Microsystems Labs          1-781-442-0928
> Burlington, MA USA
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
This publicly archived list supports open discussion on using the 
XACML OASIS Standard. To minimize spam in the archives, you 
must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/xacml-users/
Committee homepage: http://www.oasis-open.org/committees/xacml/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/

_______________________________________________________________________
Notice:  This email message, together with any attachments, may contain
information  of  BEA Systems,  Inc.,  its subsidiaries  and  affiliated
entities,  that may be confidential,  proprietary,  copyrighted  and/or
legally privileged, and is intended solely for the use of the individual
or entity named in this message. If you are not the intended recipient,
and have received this message in error, please immediately return this
by email and then delete it.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]