OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [xacml] Proposed standard for RBAC. Forwarded message from Anne Anderson.


Carlisle and Hal,

Edwin DeSouza pointed me to this proposed "voluntary consensus
standard".   I did a quick read, and believe there requirements
can be met easily with profiles of XACML.

Could you try to set up a joint call with the NIST team that is
working on this standard to see if we can work together?  It does
not seem beneficial to the industry to have competing standards
for access control.

Anne

------- start of forwarded message -------
From: Anne Anderson <Anne.Anderson@sun.com>
To: David Ferraiolo <david.ferraiolo@nist.gov>, Rick Kuhn <kuhn@nist.gov>,
   Ramaswamy Chandramouli <mouli@nist.gov>, John Barkley <jbarkley@nist.gov>,
   rbac-info@nist.gov
Subject: [xacml] Proposed standard for RBAC
Date: Tue, 15 Apr 2003 10:40:13 -0400

http://csrc.nist.gov/rbac/ proposes a "voluntary consensus
standard for role based access control", available at
http://csrc.nist.gov/rbac/rbac-std-ncits.pdf

Have you considered building on the OASIS eXtensible Access
Control Markup Language (XACML)?  This was approved as an OASIS
Standard in February of 2003, there are two Open Source
implementations available, and it is receiving generally good
acceptance by the industry.  For more information, see
http://www.oasis-open.org/committees/xacml

XACML supports the Core RBAC role and permission models quite
well: multiple roles per user, multiple users per role, multiple
permissions per role, multiple roles per permission, and
simultaneous exercise of permissions of multiple roles.  XACML
does not specify the mechanisms for how role attributes are
assigned to users, but supports all the above models.  NIST might
find it advantageous to develop Core RBAC as a profile of XACML,
rather than trying to create yet another language.

XACML can also support Hierarchical RBAC ("junior" roles acquire
the user membership of their "senior roles". and "senior" roles
acquire the permissions of their "juniors") using XACML's
mechanism for including one set of policies inside another by
reference.  NIST again might find it advantageous to profile
XACML to support Hierarchical RBAC.

I will ask the XACML Co-Chairs, Carlisle Adams (Entrust) and Hal
Lockhart (BEA), to see if we can set up a joint conference call
to discuss ways of working together.  Meanwhile, I expect several
XACML members will be reviewing the proposed NIST standard
closely to determine whether there are specific requirements that
XACML is not currently able to handle.

Yours truly,
Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


------- end of forwarded message -------

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]