[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Agenda for November 15 Telecon...
here is a repost of pierangela's document in pdf format. b Pierangela Samarati wrote: > Hi > > as mentioned in the concall today al the last policy committee > call we discussed the issue of positive (meaning permissions; e.g., > "this principal can access this resource") and negative authorizations > (meaning denials: "this principal cannot access this resources"). > While it is true that you cannot do with permissions alone (many cases > call for more flexibility), it is also true that having denials > complicates the framework (mostly also since when you start having denials > you start thinking of the different semantics that they can carry - and > that who specified the rule may have intended). > > i had proposed an alternative solution inspired by a recent work, which > goes as follows. Distinguish two kinds of rules: > > 1) the ones that specify sufficient conditions (which are the permissions > above) > > 2) the ones that specify necessary conditions. > > instead of repeating descriptions and examples here, i am attaching you a > file of that work where the two forms of rules are introduced (Section > 4.2). Of course our language is different as more expressive; but that > gives the idea. > > only one thing, what i call "subject" > there is our "principal", what i call "object" is our "resource" > > pls just send me email (or post the group) for any clarification that may > be needed, and any comments. > > best > -p
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC