OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: XACML TC Charter Revision - Strawman

In the last sentence, do you mean a role assignment policy by
'anyone with the X role also has the Y role'?
If so, the role assignment might be done in the authentication step,
not authorization step. If not, could you explain more in detail,
particularly cases that <role> is specified in the <object>.

Michiharu Kudo
Internet Technology              TEL +81-46-215-4642
Tokyo Research Laboratory    FAX +81-46-273-7428
IBM Japan Ltd.                      Internet: kudo@jp.ibm.com

From: Phillip Hallam-Baker <pbaker@verisign.com> on 2001/05/31 19:49

Please respond to Phillip Hallam-Baker <pbaker@verisign.com>

To:   Marlena Erdos/Austin/Contr/IBM@IBMUS, "'xacml@lists.oasis-open.org'"
Subject:  RE: XACML TC Charter Revision - Strawman

I agree with Marlena, keep the term 'subject' to refer to the principal
regardless of whether it be one principal or a set of principals.

So for example an XACML <Role> could be a principal, indicating that anyone
with the specified Role had the specified relationship to the <Object>.

It is essential to differentiate the occurence of a <role> in the <subject>
and the occurence of a <role> in the <object>. A particular assertion might
even have roles in both locations 'anyone with the X Role also has the Y
role' - very useful for mapping external roles and attributes onto localy
defined roles.


Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
781 245 6996 x227

> -----Original Message-----
> From: Marlena Erdos [mailto:marlena@us.ibm.com]
> Sent: Thursday, May 31, 2001 1:41 AM
> To: 'xacml@lists.oasis-open.org'
> Subject: RE: XACML TC Charter Revision - Strawman
> >Policy Target
> >The target of a policy (hereafter referred to as "subject")
> can be any
> >object that can be referenced in XML.
> In my experience, the term "subject" would more usually
> refer to the principle requesting access to a resource.
> I can't tell for sure if XACML policies are exclusively
> resource-centric (a list of principles/groups/roles that
> have access to a given resource) or also encompass
> principle-centric policies (i.e.
> a list of the resources a given principle has access to).
> Or maybe we want to be able to express both.
> However, I don't think "subject" is
> appropriate when talking about the target for
> resource-centric policies.  (It would be OK for
> principle-centric ones.)
>    Instead of "subject", why don't we just use "target"?
> I think that covers both the principle-centric case and
> the resource-centric one fairly nicely.
> Regards,
> Marlena Erdos
> IBM/Tivoli
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: xacml-request@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC