OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Patterns and best practices for securing access to attributes ofresources


I am looking for guidance on how best to use XACML 2.0 spec for securing 
access to specific attributes of a resource.
Here is my specific situation...

The OASIS ebXML RegRep 4 specifications use XACML 2.0 to secure access 
to registry metadata resources.
Each metadata resource is represented by a RegistryObject. A 
RegistryObject has an XML representation defined by an XML Schema.
Vast majority of regrep use cases simply want access control at the 
granularity of the RegistryObject XML document level.
There are a small number of use cases where the spec (and deployments) 
may wish to control access to specific attributes and sub-elements of a 
RegistryObject XML resource.

Here is a very specific use case for access control of specific 
attributes and sub-elements of a RegistryObject XML resource....
The spec needs to define an XACML policy that limits the action of 
update or delete to the status attribute of a RegistryObject to 
specified subjects.

It is clear in to me (and in the regrep 4 specs) how XACML 2.0 can be 
use to secure access to RegistryObjects at the entire object level.
It is not clear to me how the regrep 4 specs could define performing 
access to specific sub-elements and attributes of RegistryObjects.
This is where I am requesting your guidance on suggested patterns or 
best practices.

Please let me know if the problem description needs more clarity. Thanks 
in advance for your help.


Web: http://www.wellfleetsoftware.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]