[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Fw: undefined
Aleksey, The proposal you describe requires the administrator (or the policy generation system) of each junior role to "know" each senior role that includes it. That is not scalable to large distributed systems of roles. To use your words, "This opens another door for inconsistent policies where these statements are wrongly expressed." No tool or administrator can know which senior roles include each junior role unless the tool is keeping a global index of all the policies that is updated every time a policy is changed. Having the tool manage only a single <PolicySet> at a time seems to me to be a big plus in simplicity and scalability. Anne On 20 May, Aleksey Studnev writes: Fw: undefined > From: Aleksey Studnev <Aleksey_Studnev@exigengroup.com> > To: Anne.Anderson@Sun.COM > Subject: Fw: undefined > Date: Thu, 20 May 2004 23:21:54 +0400 > > Anne, > > sorry for mistake, i of course reversed the hierarchy. It should look like: > > <PolicySet> > <Policy> > <Target> > ResourceAttributeDesignator "role" = AttributeValue "Manager" > </Target> > <Rule Effect="Permit"> > <Target> > SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Aleksey" > ActionAttributeDesignator "action-id" = AttributeValue "enable" > </Target> > </Rule> > </Policy> > > <Policy> > <Target> > ResourceAttributeDesignator "role" = AttributeValue "Employee" > </Target> > <Rule Effect="Permit"> > <Target> > SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Kill Bill" > ActionAttributeDesignator "action-id" = AttributeValue "enable" > </Target> > </Rule> > <Rule Effect="Permit"> > <Target> > SubjectAttributeDesignator "role-id" == AttributeValue "Manager" > ActionAttributeDesignator "action-id" == AttributeValue "grant" > </Target> > </Rule> > </Policy> > > </PolicySet> > > Here Aleksey is Manager and "Kill Bill" is Employee. > > Regards, > > Aleksey > > > Anne, > > lets take that old example with Aleksey Manager. What i propose is to roles assignment policy like: > > > <Policy> > <Target> > ResourceAttributeDesignator "role" = AttributeValue "Manager" > </Target> > <Rule Effect="Permit"> > <Target> > SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Aleksey" > ActionAttributeDesignator "action-id" = AttributeValue "enable" > </Target> > </Rule> > <Rule Effect="Permit"> > <Target> > SubjectAttributeDesignator "role-id" == AttributeValue "Employee" > ActionAttributeDesignator "action-id" == AttributeValue "grant" > </Target> > </Rule> > </Policy> > > So Aleksey will be granted role attributes "Employee" and "Manager". > Role policies remains "as is". > Reference ( to "Employee" Permission Policy Set) to be removed from "Manager" permission policy set. > > Regards, > > Aleksey -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]