OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Admin & Delg Profile new issues - 3

Delegating Access Policies only

In section 5, just after Listing 1, the discussion suggests that the only way one can create an Admin policy that only permits the delegate to create Access policies and not Admin policies is the use of Maximum Delegation Depth. This can only work if the Issuer is aware of the number of levels of delegation which will occur prior to encountering the policy in question. (And that that number is constant.) Further, under the current reduction algorithm, the limitations on enforcement described in section 8.2 also may prevent this approach from working as desired.

I believe it is desirable to be able to create an Admin policy which delegates Access policies only. I can also imagine wanting to allow Admin policies only, but I can't think of a usecase off hand. I would not ordinarily propose such a functional change at this late date, but since the reduction algorithm is under reconsideration, I would like to see this capability added if it can be done easily given whatever is decided about the reduction algorithm.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]