OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Use Cases for Delegation

Perhaps to get the ball rolling -

Most reporting for audit function is ultimately interested in subject<->target mapping, minus intervening role/group/hierarchical relationships. For example, when groups are permitted access to particular targets, the audit question may (have to) use the "group" memberships to determine the answer to "What subjects have access to target X," but the group itself is generally factored out of the response.

Typical use cases for role/permission review include the following:
1) Given a subject, to what targets is it authorized?
2) Given a target, what subjects are to it authorized?

The administrative review questions are:
3) When, and by whom was subject X authorized to target Y. (Audit of administrative artifacts, i.e. subject attributes).
4) When, and by whom was aggregate(role, group, hierarchical placement) Z authorized to target Y.

In delegation scenarios, answers to the 1&2 above would include identifying all authorized subject delegates, and may as well require identification of the delegator as well as the delegate (cases 3&4).

Ron Williams
Sr. Enterprise Architect
IBM Tivoli Security & Privacy

S/MIME Cryptographic Signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]