RE: XACML TC Charter Revision - Strawman

[Michiharu Kudoh <KUDO@jp.ibm.com>]

In the last sentence, do you mean a role assignment policy by
'anyone with the X role also has the Y role'?
If so, the role assignment might be done in the authentication step,
not authorization step. If not, could you explain more in detail,
particularly cases that <role> is specified in the <object>.

regards,
Michiharu Kudo
Internet Technology              TEL +81-46-215-4642
Tokyo Research Laboratory    FAX +81-46-273-7428
IBM Japan Ltd.                      Internet: kudo@jp.ibm.com


From: Phillip Hallam-Baker <pbaker@verisign.com> on 2001/05/31 19:49

Please respond to Phillip Hallam-Baker <pbaker@verisign.com>

To:   Marlena Erdos/Austin/Contr/IBM@IBMUS, "'xacml@lists.oasis-open.org'"
      <xacml@lists.oasis-open.org>
cc:
Subject:  RE: XACML TC Charter Revision - Strawman



I agree with Marlena, keep the term 'subject' to refer to the principal
regardless of whether it be one principal or a set of principals.

So for example an XACML <Role> could be a principal, indicating that anyone
with the specified Role had the specified relationship to the <Object>.

It is essential to differentiate the occurence of a <role> in the <subject>
and the occurence of a <role> in the <object>. A particular assertion might
even have roles in both locations 'anyone with the X Role also has the Y
role' - very useful for mapping external roles and attributes onto localy
defined roles.

          Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Marlena Erdos [mailto:marlena@us.ibm.com]
> Sent: Thursday, May 31, 2001 1:41 AM
> To: 'xacml@lists.oasis-open.org'
> Subject: RE: XACML TC Charter Revision - Strawman
>
>
> >Policy Target
> >The target of a policy (hereafter referred to as "subject")
> can be any
> >object that can be referenced in XML.
>
> In my experience, the term "subject" would more usually
> refer to the principle requesting access to a resource.
>
> I can't tell for sure if XACML policies are exclusively
> resource-centric (a list of principles/groups/roles that
> have access to a given resource) or also encompass
> principle-centric policies (i.e.
> a list of the resources a given principle has access to).
> Or maybe we want to be able to express both.
> However, I don't think "subject" is
> appropriate when talking about the target for
> resource-centric policies.  (It would be OK for
> principle-centric ones.)
>    Instead of "subject", why don't we just use "target"?
> I think that covers both the principle-centric case and
> the resource-centric one fairly nicely.
>
> Regards,
> Marlena Erdos
> IBM/Tivoli
>
>
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: xacml-request@lists.oasis-open.org
>