No Subject

  PBAC should be considered a super-set of RBAC.  That is RBAC is
  a special case of PBAC.

  Rather than just roles, PBAC uses attributes.  A role is just a
  special type of attribute.  Attributes can be of various types:

   o User Attributes that are set upon a start of a session

   o Environment Attributes (for example, SSL connection strength)

   o Application "evidence" that can be used in the policies/rules


  Operations are now defined as a combination of policy and
  rules.  Both policies and rules are combinatorial - and, of
  course, they can be dynamic and not just pertain to user
  attributes.

  Policy enforcement can be dynamic from a number of
  perspectives:

   o Rules can be evaluated given some data of a dynamic nature,
     even of a real time nature (for example, a rule that checks
     the NASDAQ index to see if its below a value of 1500).

   o Application "Evidence" that can be used in a rule
     evaluation....

It might be useful to add a comment to the XACML RBAC Profile
stating that "roles" are just a special case of XACML Attributes,
and that any XACML Attribute can be used in the way described for
"roles" in the XACML RBAC Profile.

Comments?

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692