MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml] summary of Frank's delegation proposal
In my previous email i distinguished two different policy statements: an access
control policy and an delegation/administration policy.
I grouped the delegation and administration together for simplicity.
You could distinguish two administrative policy statement:
* one that allows certain admins to manage the policy for certain targets,
* and another that allows certain admins to delegate the rights to manage the
policy for a certain target.
In previous emails, I suggested that implementations could choose either to
always allow admins to delegate the management rights they have, or to use a
boolean flag in the admin policy statement that would indicate whether further
delegation was allowed, or to use an integer to specify the maximum delegation
depth, i.e. maximum length of the delegation chain.
Unlike with access control policies, it seems overkill to allow admins to speak
on the management rights of other admins without having the right themselves to
manage those same targets.
Would it be enough to add this clarification or did you have other concerns?
Regards, Frank.
(as admin and delegation policy statement are about policies about policies,
maybe we should call them meta-policies ;-)
Daniel Engovatov wrote:
> Did we actually decide on whether "delegation" is the appropriate term
> to describe this proposal?
>
> I would think this is something else, probably useful, but I would
> hesitate to call it "delegation"
>
> Daniel.
>
>
>
>