[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] support of <PolicySet> elements under PPS elements?
ANSI INCITS is considering RBAC Engineering models that already exist for incorporation into extensions of the RBAC core spec. There are existing models such as Neuman-Strembeck available. HL7 has used this model successfully to create and international “RBAC Permission Catalog”. Regards, Mike Davis, CISSP Department of Veterans Affairs VHA Office of Health Information Security Architect 760-632-0294 From: Jan Herrmann [mailto:herrmanj@in.tum.de] Hi Erik, the NIST model doesn’t specify how to define the privileges associated with roles. Hence independent of the requirements that might drive someone to build a Policytree based on nested PS, I don’t see a reason why PS elements under PPS should be forbidden. Nevertheless a scenario for PS under PPS elements could be: When using XACML to define the privileges it might be very convenient to provide a certain PolicySet structure below the PPS. One could e.g. define <PolicySet> elements under a PPS that test for specific resource types (e.g. services). Below these service specific <PolicySet> elements you could than structure your policy by the action type (e.g. different <PolicySet> elements for each specific service type). Having such a predefined structure and allowing the junior-policy administrators only to define <policy> and <rule> elements below these predefined <PolicySet> elements will ensure that they do not define rights out of their scope. Best Regards Jan -- Jan Herrmann Dipl.-Inform., Dipl.-Geogr. Scientific Assistant Chair for Applied Informatics / Cooperative Systems Technische Universität München Boltzmannstr. 3 85748 Garching Germany T: +49 89 289 18692 F: +49 89 289 18657 W: www11.in.tum.de Von: Erik Rissanen [mailto:erik@axiomatics.com] Hi Jan, Hi there, the XACML v3.0 RBAC profile states: “...Permission <PolicySet> or PPS: a <PolicySet> that contains the actual permissions 141 associated with a given role. It contains <Policy> elements and <Rules> that describe the 142 resources and actions that subjects are permitted to access, along with any further conditions on 143 that access, such as time of day. ...” From my point of view this PPS definition is unnecessary limiting the structure below PPS. I would propose to support <PolicySet> elements under PPS elements, unless there are good reasons why this should be prohibited. Best regards Jan -- Jan Herrmann Dipl.-Inform., Dipl.-Geogr. Scientific Assistant Chair for Applied Informatics / Cooperative Systems Technische Universität München Boltzmannstr. 3 85748 Garching Germany T: +49 89 289 18692 F: +49 89 289 18657 W: www11.in.tum.de |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]