[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] delegation constraints schema
Simon, This seems good to me. However, I don't think re-applying the constraints on the immediate delegate to re-delegates is a good idea. If someone satisfies the constraints of the immediate delegate, there is no need for someone else to delegate to him, since he already has the administrative right himself. I agree with you that the DelegationConstraint should be optional. If it is present, re-delegates have to meet it. If it is not present, there is no constraint on re-delegates. Best regards, Erik Simon wrote: > (See Erik's msg on delegation constraint) > Delegation constraint can be expressed by having > <DelegationConstraint> element as a child of <Delegate> > > Note that constraints on immediate delegate can be applied to > re-delegates and then delegation-constraint is not needed. > > <Target> > <Delegate> > <SubjectMatch>....</SubjectMatch> <- ONE OR MORE (Constraints on > immediate delegate) > <DelegationConstraint> <-- OPTIONAL (Constraints on re-delegates) > <SubjectMatch>....</SubjectMatch> <-- ONE OR MORE > <SubjectMatch>...</SubjectMatch> > </DelegationConstraint> > </Delegate> > </Target> > > Simon > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]