MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: FW: [xacml] XACML Delegation/Administration Requirements
I have an additional requirement which actually falls under the points below, but I think we need to provide a specific mchanism to make it easier and less arror prone to express.
below I said:
>However in meeting these two usecases, it is NOT desirable to require either of the following
>to always be true:
>a. Anything you can do, you can delegate to someone else to do.
>b. If you can delegate something, you can always do it yourself by generating the necessary
>policy which applies to you.
>It should be possible to create policies which enable a. and/or b., but they should not be
>"wired in."
The question is, how easy is it to "create policies which enable a. and/or b."
Consider the common usecase: Mary is the manager and approves expense reports for her dept. When she is on vacation, Jack can approve expense reports.
I think we need a convient way to say "Jack is allowed to do such and such, but only if Mary is allowed to do it" Mary might or might not be issuer of this policy. As I understand the current proposals, there is no way to do this except by duplicating the rules that apply to Mary.
I am not sure what the right syntax is. This seems like a condition, but there might be reasons to make it more visible in the policy, for example as a new Effect value.
Also I am not sure how general this needs to be. For example, in the example, Mary and Jack are Access Subjects. Should it work for other Subject types? Other kinds of inputs?
Hal