OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: No Subject

  PBAC should be considered a super-set of RBAC.  That is RBAC is
  a special case of PBAC.

  Rather than just roles, PBAC uses attributes.  A role is just a
  special type of attribute.  Attributes can be of various types:

   o User Attributes that are set upon a start of a session

   o Environment Attributes (for example, SSL connection strength)

   o Application "evidence" that can be used in the policies/rules

  Operations are now defined as a combination of policy and
  rules.  Both policies and rules are combinatorial - and, of
  course, they can be dynamic and not just pertain to user

  Policy enforcement can be dynamic from a number of

   o Rules can be evaluated given some data of a dynamic nature,
     even of a real time nature (for example, a rule that checks
     the NASDAQ index to see if its below a value of 1500).

   o Application "Evidence" that can be used in a rule

It might be useful to add a comment to the XACML RBAC Profile
stating that "roles" are just a special case of XACML Attributes,
and that any XACML Attribute can be used in the way described for
"roles" in the XACML RBAC Profile.


Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]