OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] BTG sequence diagram

> On Fri, 2011-04-22 at 16:32 -0700, Bill Parducci wrote:
> So Rich, in this scenario you are treating the BTG priv attribute as a Resource? If not, what does "permit" refer to?
> thanks
> b
> On Apr 22, 2011, at 4:25 PM, rich levinson wrote:
> > 	• The PEP in front of GlassMgr asks the PDP if this User is authorized to activate
> > his BTG priv.
> > 	• The PDP says yes, the User, according to Policy is authorized to perform this
> > action (activate the User's BTG priv), and returns Permit.

I had in mind a generic "BTG state", which I guess would be an
environment attribute.  The user invokes a method of the GlassManager
like "breakGlass()".  Upon finding that the user is authorized to
execute this action, the GlassManager executes this method to set the
environment attribute, btg-state, to "true".

In an earlier email I asked for clarification on what, exactly, the
glass protected: a person, a class of persons, a resource, a group of
resources, or some combination of these?

I guess generically you could have a boolean btg-state attribute for
every action, resource, and subject (as well as an environment
btg-state).  Then the user would invoke a method like "breakGlass('Bart
Simpson')" to unprotect Bart Simpson's records.  The PIP would ask for
the btg-state attribute pertaining to Bart's records.

This is another area that needs to be clarified in David's BTG proposal.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]