OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  Re: Fw: undefined

    Posted 05-21-2004 13:44
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: Fw: undefined


    Aleksey,
    
    The proposal you describe requires the administrator (or the
    policy generation system) of each junior role to "know" each
    senior role that includes it.  That is not scalable to large
    distributed systems of roles.  To use your words, "This opens
    another door for inconsistent policies where these statements are
    wrongly expressed."
    
    No tool or administrator can know which senior roles include each
    junior role unless the tool is keeping a global index of all the
    policies that is updated every time a policy is changed.
    
    Having the tool manage only a single <PolicySet> at a time seems
    to me to be a big plus in simplicity and scalability.
    
    Anne
    
    On 20 May, Aleksey Studnev writes: Fw: undefined
     > From: Aleksey Studnev <Aleksey_Studnev@exigengroup.com>
     > To: Anne.Anderson@Sun.COM
     > Subject: Fw: undefined
     > Date: Thu, 20 May 2004 23:21:54 +0400
     > 
     > Anne,
     > 
     > sorry for mistake, i of course reversed the hierarchy. It should look like:
     > 
     > <PolicySet>
     > <Policy>
     >  <Target>
     >   ResourceAttributeDesignator "role" = AttributeValue "Manager"
     >  </Target>
     >  <Rule Effect="Permit">
     >   <Target>
     >    SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Aleksey"
     >    ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >   </Target>
     >  </Rule>
     > </Policy>
     > 
     > <Policy>
     >  <Target>
     >   ResourceAttributeDesignator "role" = AttributeValue "Employee"
     >  </Target>
     >  <Rule Effect="Permit">
     >   <Target>
     >    SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Kill Bill"
     >    ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >   </Target>
     >  </Rule>
     >  <Rule Effect="Permit">
     >   <Target>
     >    SubjectAttributeDesignator "role-id" == AttributeValue "Manager"
     >    ActionAttributeDesignator "action-id" == AttributeValue "grant"
     >   </Target>
     >  </Rule>
     > </Policy>
     > 
     > </PolicySet>
     > 
     > Here Aleksey is Manager and "Kill Bill" is Employee.
     > 
     > Regards,
     > 
     > Aleksey
     > 
     > 
     > Anne,
     > 
     > lets take that old example with Aleksey Manager. What i propose is to roles assignment policy like:
     > 
     > 
     > <Policy>
     >  <Target>
     >   ResourceAttributeDesignator "role" = AttributeValue "Manager"
     >  </Target>
     >  <Rule Effect="Permit">
     >   <Target>
     >    SubjectAttributeDesignator "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Aleksey"
     >    ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >   </Target>
     >  </Rule>
     >  <Rule Effect="Permit">
     >   <Target>
     >    SubjectAttributeDesignator "role-id" == AttributeValue "Employee"
     >    ActionAttributeDesignator "action-id" == AttributeValue "grant"
     >   </Target>
     >  </Rule>
     > </Policy>
     > 
     > So Aleksey will be granted role attributes "Employee" and "Manager".
     > Role policies remains "as is".
     > Reference ( to "Employee" Permission Policy Set) to be removed from "Manager" permission policy set.
     > 
     > Regards,
     > 
     > Aleksey
    
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]