MHonArc v2.5.2 -->
















xacml message






[Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]








Subject: RE: [xacml] Delegation?




From: Hal Lockhart <hal.lockhart@entegrity.com>
To: 'Polar Humenn' <polar@syr.edu>, xacml@lists.oasis-open.org
Date: Mon, 07 Jan 2002 14:56:23 -0500






Title: RE: [xacml] Delegation?





With regards to SAMl, the Access Decision Request was deliberately kept simple with the idea that XACML would give us the tools to do the job properly. I have preoposed (see my usecases) that XACML not only be able to express policies, but the method of expressing policy inputs be rolled back into the SAML Access Decision Request (and Assertion).

In my opinion, XACML policies should be able to contain predicates about zero or more of the following subjects:


Requestor Subject
Receipient Subject (can be different from requestor)
Intermediary Subject (can be more than one for a given request)


I propose a single construct for Subjects and their attributes and some kind of modifier indicating the type (refrain from using "role" here) of subject.

Hal


>