[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Groups vs. Roles
Here's the full quote: "Roles provide a semantic grouping of policies with a common subject, generally pertaining to a position within an organisation such as department manager, project manager, analyst or ward-nurse. Specifying organizational policies for human managers in terms of manager positions rather than persons permits the assignment of a new person to the manager position without re-specifying the policies referring to the duties and authorizations of that position [16]. A role can also specify the policies that apply to an automated component acting as a subject in the system. Organisational positions can be represented as domains and we consider a role to be the set of authorisation, obligation, refrain and delegation policies with the subject domain of the role as their subject. A role is thus a special case of a group, in which all the policies have the same subject." The above is clearly in error in at least one way "subject" should be "subject type" or "subject class". > -----Original Message----- > From: Pierangela Samarati [mailto:samarati@pinky.crema.unimi.it] > Sent: Thursday, July 26, 2001 7:02 AM > To: Simon Y. Blackwell > Cc: 'xacml@lists.oasis-open.org' > Subject: RE: Groups vs. Roles > > > Hi > > > "A role is thus a special case of a group, in which all the > policies have > > the same subject." > > ????? i am not sure i understand this...... > > > This would imply that although roles are useful, one never > has to reference > > a role from a policy. One can simply reference the group > which has a one to > > one mapping with the named role. This is not inconsistent > with my first > > statement: > > i'm not sure ...... > > roles are dynamic by nature and can be activated and released. > > -p >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC