OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: Fw: undefined


Aleksey,

The proposal you describe requires the administrator (or the
policy generation system) of each junior role to "know" each
senior role that includes it.  That is not scalable to large
distributed systems of roles.  To use your words, "This opens
another door for inconsistent policies where these statements are
wrongly expressed."

No tool or administrator can know which senior roles include each
junior role unless the tool is keeping a global index of all the
policies that is updated every time a policy is changed.

Having the tool manage only a single <PolicySet> at a time seems
to me to be a big plus in simplicity and scalability.

Anne

On 20 May, Aleksey Studnev writes: Fw: undefined
 > From: Aleksey Studnev <Aleksey_Studnev@exigengroup.com>
 > To: Anne.Anderson@Sun.COM
 > Subject: Fw: undefined
 > Date: Thu, 20 May 2004 23:21:54 +0400
 > 
 > Anne,
 > 
 > sorry for mistake, i of course reversed the hierarchy. It should look like:
 > 
 > <PolicySet>
 > <Policy>
 >  <Target>
 >   ResourceAttributeDesignator "role" = AttributeValue "Manager"
 >  </Target>
 >  <Rule Effect="Permit">
 >   <Target>
 >    SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Aleksey"
 >    ActionAttributeDesignator "action-id" = AttributeValue "enable"
 >   </Target>
 >  </Rule>
 > </Policy>
 > 
 > <Policy>
 >  <Target>
 >   ResourceAttributeDesignator "role" = AttributeValue "Employee"
 >  </Target>
 >  <Rule Effect="Permit">
 >   <Target>
 >    SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Kill Bill"
 >    ActionAttributeDesignator "action-id" = AttributeValue "enable"
 >   </Target>
 >  </Rule>
 >  <Rule Effect="Permit">
 >   <Target>
 >    SubjectAttributeDesignator "role-id" == AttributeValue "Manager"
 >    ActionAttributeDesignator "action-id" == AttributeValue "grant"
 >   </Target>
 >  </Rule>
 > </Policy>
 > 
 > </PolicySet>
 > 
 > Here Aleksey is Manager and "Kill Bill" is Employee.
 > 
 > Regards,
 > 
 > Aleksey
 > 
 > 
 > Anne,
 > 
 > lets take that old example with Aleksey Manager. What i propose is to roles assignment policy like:
 > 
 > 
 > <Policy>
 >  <Target>
 >   ResourceAttributeDesignator "role" = AttributeValue "Manager"
 >  </Target>
 >  <Rule Effect="Permit">
 >   <Target>
 >    SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Aleksey"
 >    ActionAttributeDesignator "action-id" = AttributeValue "enable"
 >   </Target>
 >  </Rule>
 >  <Rule Effect="Permit">
 >   <Target>
 >    SubjectAttributeDesignator "role-id" == AttributeValue "Employee"
 >    ActionAttributeDesignator "action-id" == AttributeValue "grant"
 >   </Target>
 >  </Rule>
 > </Policy>
 > 
 > So Aleksey will be granted role attributes "Employee" and "Manager".
 > Role policies remains "as is".
 > Reference ( to "Employee" Permission Policy Set) to be removed from "Manager" permission policy set.
 > 
 > Regards,
 > 
 > Aleksey

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]