[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: No Subject
PBAC should be considered a super-set of RBAC. That is RBAC is a special case of PBAC. Rather than just roles, PBAC uses attributes. A role is just a special type of attribute. Attributes can be of various types: o User Attributes that are set upon a start of a session o Environment Attributes (for example, SSL connection strength) o Application "evidence" that can be used in the policies/rules Operations are now defined as a combination of policy and rules. Both policies and rules are combinatorial - and, of course, they can be dynamic and not just pertain to user attributes. Policy enforcement can be dynamic from a number of perspectives: o Rules can be evaluated given some data of a dynamic nature, even of a real time nature (for example, a rule that checks the NASDAQ index to see if its below a value of 1500). o Application "Evidence" that can be used in a rule evaluation.... It might be useful to add a comment to the XACML RBAC Profile stating that "roles" are just a special case of XACML Attributes, and that any XACML Attribute can be used in the way described for "roles" in the XACML RBAC Profile. Comments? Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]