OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0


Hi,

For 1 and 2, no you should not do this. That might break the consistency 
of the profile design and lead to unexpected results.

For 3, no, then it's not RBAC anymore. RBAC is based _only_ on the role 
of the subject. There exist extensions for RBAC to handle all kinds of 
other requirements, so you may want to search the academic literature on 
the topic.

Regards,
Erik

hao chen wrote:
> Hi,
>
> I appreciate if someone can provide some information on the following questions regarding RBAC profile of XACML v2.0
>
> 1. The examples included in the profile use policy-combine permit-overrides and rule-combine permit-overrides for both Role <PolicySet> and Permission <PolicySet>. Can we use deny-overrides for both Role <PolicySet> and Permission <PolicySet> too?
>
> 2. The examples included in the profile set Rule's effect to permit for both Role <PolicySet> and Permission <PolicySet>. Can we set Rule's effect to deny for both Role <PolicySet> and Permission <PolicySet>?
>
> 3. Can we use subject's attributes (except role) as conditions in the rule settings of Permission <PolicySet>?
>
> thanks!
> hao
>
>
>
>
>       
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
>
>   



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]