[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [policy-model]: group membership flatterning
In our last discussion on the policy model conf call a question was raised as to how to compute
group closure in the pdp.
I assume that we are using saml protocol (or it's extension) for authorization decision queries.
There are several sources for group membership information.
1. It could be provided as evidence in the query itself.
2. pdp could query attribute authorities (1 or more) for the subject group membership.
3. pdp can maintain group hierarchy locally.
Pdp can maintain a policy on how to compute group closure for various subjects and resources.
This policy could specify combinations of 1, 2, and 3.
One policy could be that evidence from the request should be ignored,
and direct group membership should be taken from attribute authorities,
and group hierarchy should be kept in the pdp.
In this case input from 1 is ignored and 2 is used in 3 for closure computation.
Or we can take group membership from the evidence in the request only.
Allowing pdp to specify a policy for group membership computation provides for the most
flexibility.
Simon Godik
Crosslogix
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC