OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Conditional Permission


Here is an idea, not a complete implementation:

1. Request
   should contain a subject attribute with role(s)
   should contain a boolean environment attribute: 'AccountReviewedByManager' 
2. Policy 
   should contain a subject match for the role
   should contain an environment match for 'AccountReviewedByManager'

The tricky thing here is to populate 'AccountReviewedByManager' flag. It's actually attribute resolution issue. It depends on account number and I'm aware about 2 options:

1. Resolve it before you hit PDP
2. Use attribute resolution mechanism that might exist within PDP




--- On Fri, 10/31/08, hao chen <d95776@yahoo.com> wrote:

> From: hao chen <d95776@yahoo.com>
> Subject: [xacml-users] Conditional Permission
> To: xacml-users@lists.oasis-open.org
> Cc: "Hao (ming) Chen" <d95776@yahoo.com>
> Date: Friday, October 31, 2008, 10:29 AM
> How could I write a rule in XACML policy to assert the
> permssion with some condition as the following and how could
> I write a PDP XACML request to query the permssion.
> 
> A subject with a account operator role can modify an
> account information only if the account information has been
> reviewed by a person who has account manager role.
> 
> Before we submit the PDP XACML request, we know if an
> account manager has reviewed the account or not.
> 
> Thanks!
> 
> hao
> 
> 
> 
> 
>       
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org


      


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]