RE: [xacml] Delegation?

[Hal Lockhart <hal.lockhart@entegrity.com>]

Title: RE: [xacml] Delegation?

With regards to SAMl, the Access Decision Request was deliberately kept simple with the idea that XACML would give us the tools to do the job properly. I have preoposed (see my usecases) that XACML not only be able to express policies, but the method of expressing policy inputs be rolled back into the SAML Access Decision Request (and Assertion).

In my opinion, XACML policies should be able to contain predicates about zero or more of the following subjects:

Requestor Subject
Receipient Subject (can be different from requestor)
Intermediary Subject (can be more than one for a given request)

I propose a single construct for Subjects and their attributes and some kind of modifier indicating the type (refrain from using "role" here) of subject.

Hal

> -----Original Message-----
> From: Polar Humenn [mailto:polar@syr.edu]
> Sent: Monday, December 17, 2001 2:15 PM
> To: xacml@lists.oasis-open.org
> Subject: [xacml] Delegation?
>
>
>
> Has anybody thought about how delegation can be reasoned
> about in XACML?
>
> It appears that SAML only asserts a flat list of attributes
> with a single
> principal, or am I off base here?
>
> Can I support policies on such operations as:
>
> Paul for Peter says debit Peter's account?
>
> Which mean that Paul (or some other party trusted to do so) has issued
> Paul the authorization to act on behalf of Peter, in this
> case to access
> Peter's account.
>
> Or such things, like
>
> WebServer quoting JohnDoe says lookup  in customer database.
>
> Where the WebServer may be trusted to authenticate JohnDoe,
> but no such
> proof is necessary other than the WebServer merely claiming
> to be acting
> on JohnDoe's behalf?
>
> -Polar
>
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>