OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Another Group - Role Distinction?


Hmmm ...

Can you say more about this

"> authorizations granted to roles can propagate to their sub roles
> (you may not always want propagation to preserve least privilege)."

And

"> In such a context authorization propagation when dealing with 
> roles can
> have an additional aspect: if a user is authorized to 
> activate a role s/he
> can also activate roles that are generalization of it."

I need to be clear about "generalization". In the hierarchy

Chief Auditor
	Senior Auditor
		Junior Auditor

Which is a generalization of Senior Auditor? From you statement and what I
think the security should be, I would say a Senior Auditor can activate a
Junior Auditor role. However, based on my understanding of the term
"generalization" I would say Chief Auditor.


> -----Original Message-----
> From: Pierangela Samarati [mailto:samarati@pinky.crema.unimi.it]
> Sent: Friday, August 03, 2001 6:44 AM
> To: Simon Y. Blackwell
> Cc: 'xacml@lists.oasis-open.org'
> Subject: Re: Another Group - Role Distinction?
> 
> 
> > Is it the case that groups propagate "up" whereas roles 
> propagate "down" for
> > security purposes?
> 
> i believe it is the case that:
> 
> authorizations granted to groups always propagate to their members
> (subgroups and users)
> 
> authorizations granted to roles can propagate to their subroles
> (you may not always want propagation to preserve least privilege).
> Not having propagation can be ok for roles, while it is not 
> applicable for
> groups.
> 
> When talking about identities, a user always connect as him/herself
> (i.e., the subject you will have to check is always a minimal 
> element of
> the user-group hierarchy).
> However, it is not so for roles: a user can activate a role which is
> nonminimal in the role hierarchy.
> 
> In such a context authorization propagation when dealing with 
> roles can
> have an additional aspect: if a user is authorized to 
> activate a role s/he
> can also activate roles that are generalization of it.
> 
> -p
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC