OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0

Hi Erik,

By using the request example provided in the profile
<Request>
<Subject>
<Attribute AttributeId=”&subject;subject-id”
DataType=”&xml;string”>
<AttributeValue>Anne</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId=”&role;”
DataType=”&xml;anyURI”>
<AttributeValue>&roles;manager</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId=”&action;action-id”
DataType="&xml;anyURI">&actions;hasPrivilegesOfRole</AttributeValue>
</Attribute>
</Action>
</Request>

Could you please go through the steps of how we know if Anne is allowed to act in the given role manager? I could not figure it out since there's no subject information defined in the permission <policySet> at all.

Very appreciate your help.

hao


--- On Tue, 11/4/08, Erik Rissanen <erik@axiomatics.com> wrote:

> From: Erik Rissanen <erik@axiomatics.com>
> Subject: Re: [xacml-users] questions on RBAC profile of XACML v2.0
> To: d95776@yahoo.com
> Cc: xacml-users@lists.oasis-open.org
> Date: Tuesday, November 4, 2008, 8:30 AM
> That questions answers whether the user is allowed to act in
> the given role. It works by means of following the policy
> references.
> 
> Regards,
> Erik
> 
> hao chen wrote:
> > Hi Erik,
> > 
> > I have another question regarding RBAC profile of
> XACML v2.0.
> > 
> > In BRAC profile of XACML v2.0, it defines
> HasPrivilegesOfRole <Policy> that supports requests
> asking whether a subject has the privileges associated with
> a given role. The sematics of the policy is not clear to me.
> Does it answer the question such as:
> > 1) Does a subject has a permission of a role A?
> > or
> > 2) If a subject has a senior role S, Does the subject
> has a permission of a junior role A?
> > 
> > I reviewed the examples included in the profile for
> HasPrivilegesOfRole. The HasPrivilegesOfRole request
> examples only tells the subject has a Id called Anne. How
> does PDP follow the hierarchical role chaining and
> > give the correct result? 
> > I do not think the policy could answer the question
> 1).
> > If the policy tries to answer the question 2), then
> the request has to provide some senio role and ask if the
> subject has some junior role or the policy must define
> subject match rules against subject's attributes such
> that the request must provide the required subject's
> attribute to ask if the subject has the permission of a
> role. 
> > I think the HasPrivilegesOfRole <Policy> needs
> to be clarified more on the profile.
> > 
> > Could you please help me to understand the policy
> better?
> > 
> > thanks a lot.
> > 
> > hao
> > 
> > --- On Tue, 11/4/08, Erik Rissanen
> <erik@axiomatics.com> wrote:
> > 
> >   
> >> From: Erik Rissanen <erik@axiomatics.com>
> >> Subject: Re: [xacml-users] questions on RBAC
> profile of XACML v2.0
> >> To: d95776@yahoo.com
> >> Cc: xacml-users@lists.oasis-open.org
> >> Date: Tuesday, November 4, 2008, 7:28 AM
> >> I don't think that you can do that. It's a
> >> limitation in the RBAC model on which the profile
> is based.
> >> It's not a problem with the profile itself.
> >> 
> >> Regards,
> >> Erik
> >> 
> >> hao chen wrote:
> >>     
> >>> Hi Erik,
> >>> 
> >>> We do have the deny permission situation such
> as
> >>> If you are level 1 support, you can not change
> the
> >>>       
> >> code. ( role=level 1 support, permission= can not
> do {code,
> >> change} ).
> >>     
> >>> Could you please provide me some suggestion on
> how to
> >>>       
> >> use RBAC profile of XACML v2.0 to realize the
> above sematics
> >> without using deny effect and deny-overrides?
> >>     
> >>> Thanks a lot!
> >>> 
> >>> Hao
> >>> 
> >>> Best Regard
> >>> 
> >>> 
> >>> --- On Tue, 11/4/08, Erik Rissanen
> >>>       
> >> <erik@axiomatics.com> wrote:
> >>     
> >>>         
> >>>> From: Erik Rissanen
> <erik@axiomatics.com>
> >>>> Subject: Re: [xacml-users] questions on
> RBAC
> >>>>         
> >> profile of XACML v2.0
> >>     
> >>>> To: d95776@yahoo.com
> >>>> Cc: xacml-users@lists.oasis-open.org
> >>>> Date: Tuesday, November 4, 2008, 2:20 AM
> >>>> Hi,
> >>>> 
> >>>> For 1 and 2, no you should not do this.
> That might
> >>>>         
> >> break
> >>     
> >>>> the consistency of the profile design and
> lead to
> >>>>         
> >> unexpected results.
> >>     
> >>>> For 3, no, then it's not RBAC anymore.
> RBAC is
> >>>>         
> >> based
> >>     
> >>>> _only_ on the role of the subject. There
> exist
> >>>>         
> >> extensions for RBAC to handle
> >>     
> >>>> all kinds of other requirements, so you
> may want
> >>>>         
> >> to search the academic
> >>     
> >>>> literature on the topic.
> >>>> 
> >>>> Regards,
> >>>> Erik
> >>>> 
> >>>> hao chen wrote:
> >>>>             
> >>>>> Hi,
> >>>>> 
> >>>>> I appreciate if someone can provide
> some
> >>>>>           
> >> information
> >>     
> >>>>>                 
> >>>> on the following questions regarding RBAC
> profile
> >>>>         
> >> of XACML
> >>     
> >>>> v2.0
> >>>>             
> >>>>> 1. The examples included in the
> profile use
> >>>>>                 
> >>>> policy-combine permit-overrides and
> rule-combine
> >>>> permit-overrides for both Role
> <PolicySet>
> >>>>         
> >> and
> >>     
> >>>> Permission <PolicySet>. Can we use
> >>>>         
> >> deny-overrides for
> >>     
> >>>> both Role <PolicySet> and Permission
> >>>>         
> >> <PolicySet>
> >>     
> >>>> too?
> >>>>             
> >>>>> 2. The examples included in the
> profile set
> >>>>>           
> >> Rule's
> >>     
> >>>>>                 
> >>>> effect to permit for both Role
> <PolicySet>
> >>>>         
> >> and
> >>     
> >>>> Permission <PolicySet>. Can we set
> >>>>         
> >> Rule's effect
> >>     
> >>>> to deny for both Role <PolicySet>
> and
> >>>>         
> >> Permission
> >>     
> >>>> <PolicySet>?
> >>>>             
> >>>>> 3. Can we use subject's attributes
> (except
> >>>>>           
> >> role)
> >>     
> >>>>>                 
> >>>> as conditions in the rule settings of
> Permission
> >>>> <PolicySet>?
> >>>>             
> >>>>> thanks!
> >>>>> hao
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>>       
> >>>>>                 
> >>
> ---------------------------------------------------------------------
> >>     
> >>>>             
> >>>>> To unsubscribe, e-mail:
> >>>>>                 
> >>>>
> xacml-users-unsubscribe@lists.oasis-open.org
> >>>>             
> >>>>> For additional commands, e-mail:
> >>>>>                 
> >>>> xacml-users-help@lists.oasis-open.org
> >>>>             
> >>>>>                   
> >>
> ---------------------------------------------------------------------
> >>     
> >>>> To unsubscribe, e-mail:
> >>>>
> xacml-users-unsubscribe@lists.oasis-open.org
> >>>> For additional commands, e-mail:
> >>>> xacml-users-help@lists.oasis-open.org
> >>>>             
> >>> 
> >>>       
> > 
> > 
> >       
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org
> > 
> >   
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]