[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Example in RBAC Profile is Out of Scope
Hi Erik, Section 1.7 of the RBAC profile has this to say about the scope: "The policies specified in this profile assume all the roles for a given subject have already been enabled at the time an authorization decision is requested. They do not deal with an environment in which roles must be enabled dynamically based on the resource or actions a subject is attempting to perform." Yet the Role Assignment policy in the example of Section 3 is dependent on the current time, which means it can only correctly assign roles if they are enabled dynamically. The example should be changed to depend on some property of the subjects that doesn't vary from one access request to the next. The simplest change would be to remove the check for time of day, though it makes the example uninteresting. Perhaps you could do an x500Name-match of the subject's subject-id/x500Name attribute value against the DN of the organization to decide whether they are an employee, or an rfc882Name-match of the subject-id/rfc822Name against the organization's domain name ? Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]