[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Another Group - Role Distinction?
Hmmm ... Can you say more about this "> authorizations granted to roles can propagate to their sub roles > (you may not always want propagation to preserve least privilege)." And "> In such a context authorization propagation when dealing with > roles can > have an additional aspect: if a user is authorized to > activate a role s/he > can also activate roles that are generalization of it." I need to be clear about "generalization". In the hierarchy Chief Auditor Senior Auditor Junior Auditor Which is a generalization of Senior Auditor? From you statement and what I think the security should be, I would say a Senior Auditor can activate a Junior Auditor role. However, based on my understanding of the term "generalization" I would say Chief Auditor. > -----Original Message----- > From: Pierangela Samarati [mailto:samarati@pinky.crema.unimi.it] > Sent: Friday, August 03, 2001 6:44 AM > To: Simon Y. Blackwell > Cc: 'xacml@lists.oasis-open.org' > Subject: Re: Another Group - Role Distinction? > > > > Is it the case that groups propagate "up" whereas roles > propagate "down" for > > security purposes? > > i believe it is the case that: > > authorizations granted to groups always propagate to their members > (subgroups and users) > > authorizations granted to roles can propagate to their subroles > (you may not always want propagation to preserve least privilege). > Not having propagation can be ok for roles, while it is not > applicable for > groups. > > When talking about identities, a user always connect as him/herself > (i.e., the subject you will have to check is always a minimal > element of > the user-group hierarchy). > However, it is not so for roles: a user can activate a role which is > nonminimal in the role hierarchy. > > In such a context authorization propagation when dealing with > roles can > have an additional aspect: if a user is authorized to > activate a role s/he > can also activate roles that are generalization of it. > > -p >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC