[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] summary of Frank's delegation proposal
Daniel Engovatov wrote: >>(as admin and delegation policy statement are about policies about >>policies, maybe we should call them meta-policies ;-) > > > That is about what I thought. > > My interpretation of the "delegation" term, is a transmission of access > decisions within single policy - mapping of context space onto itself. > That means - if access is given for one state of context -> delegate it > to some other state of context (other subject etc.). Here you are > talking about mapping in between different contexts, policies. > > Any good references on the usage of the "delegation"? Its usage is all over the map... I'd like to think in terms of "delegation of rights", which makes it slightly more explicit. The presented model only supports a policy statement about the delegation of administrative rights not access rights. In order to allow someone to delegate her access rights, we would need two policy statements: one policy statement that gives her the access rights, and an other policy statement that gives her the right to administer the access right for certain users on that resource. Note that the latter policy statement is a pure administrative statement and does not imply any delegation of rights; only the two statements taken together constitute a "delegation of access right" capability. (Ough...) -Frank. -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]