OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Example in RBAC Profile is Out of Scope

Hi Erik,

Section 1.7 of the RBAC profile has this to say about the scope:

    "The policies specified in this profile assume all the roles for a given subject
     have already been enabled at the time an authorization decision is requested.
     They do not deal with an environment in which roles must be enabled dynamically
     based on the resource or actions a subject is attempting to perform."

Yet the Role Assignment policy in the example of Section 3 is dependent on
the current time, which means it can only correctly assign roles if they are
enabled dynamically. The example should be changed to depend on some property
of the subjects that doesn't vary from one access request to the next. The
simplest change would be to remove the check for time of day, though it makes
the example uninteresting. Perhaps you could do an x500Name-match of the
subject's subject-id/x500Name attribute value against the DN of the organization
to decide whether they are an employee, or an rfc882Name-match of the
subject-id/rfc822Name against the organization's domain name ?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]