[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML Profile for Role Based Access Control (RBAC)
Colleagues, I have re-formatted the RBAC profile as a Committee Specification, and this new version is attached as a PDF file. I have cleaned up lots of formatting, spelling, grammar, etc. errors that were in the working draft. Three notes, the first of which concerns a change that perhaps exceeds the bounds of editorial discretion: 1) Section 1.5 Multi-Role Permissions Previously, this non-normative section said: "The permissions associated with a given Multi-Role <PolicySet>, however, may be inherited only by other multi-role policies that require a superset of the roles required by the given multi-role policy. This is because the <Target> of the Role <PermissionSet> associated with the multi-role policy will screen out any Subject that does not possess at least the set of roles required by the given multi-role policy." During my close edit reading, I realized that this statement is incorrect and also conflicts with the rest of the document; it assumed that the other role would include the multi-role Role <PolicySet>, which include the role-restricting Target, rather than the multi-role Permission <PolicySet>, which contains an "any" Target. Elsewhere, the text is very clear that to include the permissions of another role, you include that role's Permission <PolicySet>, not that role's Role <PolicySet>. I have reworded this to say: "The permissions associated with a given multi-role <PolicySet> may also be inherited by another role if the other role includes a reference to the Permission <PolicySet> associated with the multi-role policy in its own Permission <PolicySet>." If anyone objects to this change, please say so. 2) The line numbers in the examples use a different line number sequence from the line numbers in the rest of the text. This seems to be a "feature" of StarOffice, so I hope you can live with it. The line numbers in the examples end in a ".", whereas the line numbers in the text do not, so it is possible to specify the series of numbers to which you are referring. 3) The document's title page says its location is "http://docs/oasis-open.org/xacml/cs-xacml-rbac-profile-01.pdf". The document is not located there now (since this edit has not been approved yet), but will be uploaded into the location by the OASIS webmaster once I give her the version to use. This makes use of a little-known OASIS manual mechanism for reserving a URL for use by a committee specification or standard rather than using the Kavi repository, which assigns the URL only as it is being uploaded. I will wait a decision from the chairs as to when this version should be uploaded as the accepted Committee Specification. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
XACML Profile for Role Based Access Control (RBAC)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]