OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [glossary] 'no subject'

I agree that the "subject" of an authorization action need not be a user -
and did not read the SAML definition to restrict in this way (the example
clause was illustrative not restrictive). Nonetheless, we should clear up
the definition so that there is no question that we can use attributes to
identify the subject rather than assuming that identity is the sole

- joe

-----Original Message-----
From: Pierangela Samarati [mailto:samarati@pinky.crema.unimi.it]
Sent: Sunday, October 07, 2001 10:27 AM
To: bill parducci
Cc: xacml
Subject: Re: [glossary] 'no subject'

Hi Bill

> i was reading through the saml glossary that jeff hodges posted some
> time back and noticed that the description for the term AUTHORIZATION in
> part states:
> "...The (act of) granting of access rights to a subject (for example, a
> user, or program)."

just my 2 cents. the definition in the saml glossary seems restrictive.
i think we do want to include authorizations that refer to the requestor's
properties (like being a member_of_acm, or a airline_frequent_flyer).
in a global distributed scenario, unknown users can present requests and
the access decision may indeed depend on properties they can present by
means of certificates rather than on their identity (there are also
situtaions in which you want to be able to process requests while
maintaining anonymity of requestors).
Authorizations can more generally grant access rights to a set of subjects
holding some properties.

in this respect i agree with the fact that it is too restrictive to
require user identity.


> this implies that a subject must exist for a policy to be executed
> since:
> 1. an authorization is directly derived from a policy
> 2. the only input for this derivation is the policy (the subject cannot
> come from another source)
> 3. the definition above states that an authorization acts upon a subject

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC