OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  Re: Fw: undefined

    Posted 05-21-2004 18:31
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: Fw: undefined


    Your example does not work.  What request would I submit in order
    to find out whether isCallerInRole("Anne","employee"), if "Anne"
    has role "Superuser"?
    
    If I submit following:
    
      <Request>
         <Subject>subject-id = AttributeValue "Anne"</Subject>
         <Resource>role = AttributeValue "Employee"</Resource>
         <Action>action-id = AttributeValue "enable"</Action>
      </Request>
    
    I do not get any Rule that returns "Permit".
    
    You seem to be trying to do delegation, where XACML does not yet
    support delegation (we are discussing it).
    
    Anne
    
    On 21 May, Aleksey Studnev writes: Re: Fw: undefined
     > From: Aleksey Studnev <Aleksey_Studnev@exigengroup.com>
     > To: Anne.Anderson@Sun.COM
     > Subject: Re: Fw: undefined
     > Date: Fri, 21 May 2004 18:47:53 +0400
     > 
     > Anne,
     > 
     > in this sense ("*immediately* issue") we are on the same page. With my 
     > proposal you only need
     > to include immedeate roles as well. I will add another role (Superuser 
     > which is senior to Manager) to demonstrate that:
     > 
     > <PolicySet>
     > <Policy>
     >   <Target>
     >    ResourceAttributeDesignator "role" = AttributeValue "Superuser"
     >   </Target>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator 
     > "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Anne"
     >     ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >    </Target>
     >   </Rule>
     >  </Policy>
     > 
     > <Policy>
     >   <Target>
     >    ResourceAttributeDesignator "role" = AttributeValue "Manager"
     >   </Target>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator 
     > "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Aleksey"
     >     ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >    </Target>
     >   </Rule>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator "role-id" == AttributeValue "Superuser"
     >     ActionAttributeDesignator "action-id" == AttributeValue "grant"
     >    </Target>
     >   </Rule>
     >  </Policy>
     >  
     >  <Policy>
     >   <Target>
     >    ResourceAttributeDesignator "role" = AttributeValue "Employee"
     >   </Target>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator 
     > "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Kill 
     > Bill"
     >     ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >    </Target>
     >   </Rule>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator "role-id" == AttributeValue "Manager"
     >     ActionAttributeDesignator "action-id" == AttributeValue "grant"
     >    </Target>
     >   </Rule>
     >  </Policy>
     >  
     >  </PolicySet>
     > 
     > The major difference as you correcty noted is "Having more senior roles 
     > control which junior roles they include
     > fits the hierarchical model better than having junior roles
     > control the entire chain of senior roles that include them."
     > With exception of "entire chain" words i understand and tend to agree with 
     > this statement.
     > 
     > 
     > Regards,
     > Aleksey
     > 
     > 
     > 
     > Anne Anderson <Anne.Anderson@Sun.COM> 
     > 05/21/2004 06:29 PM
     > Please respond to
     > Anne.Anderson@Sun.COM
     > 
     > 
     > To
     > Aleksey Studnev <Aleksey_Studnev@exigengroup.com>
     > cc
     > XACML TC <xacml@lists.oasis-open.org>
     > Subject
     > Re: Fw: undefined
     > 
     > 
     > 
     > 
     > 
     > 
     > No, with my proposal, the senior role only needs to know the
     > junior roles it *immediately* includes.  It does not need to know
     > the even more junior roles that those include, since the normal
     > XACML PDP processing rules follow nested roles.
     > 
     > It is much easier (and more realistic) to manage what *immediate*
     > junior roles a senior role should include that to try to manage
     > the *entire chain* of senior roles that include each junior role.
     > Having more senior roles control which junior roles they include
     > fits the hierarchical model better than having junior roles
     > control the entire chain of senior roles that include them.
     > 
     > Anne
     > 
     > On 21 May, Aleksey Studnev writes: Re: Fw: undefined
     >  > From: Aleksey Studnev <Aleksey_Studnev@exigengroup.com>
     >  > To: Anne.Anderson@Sun.COM
     >  > Cc: XACML TC <xacml@lists.oasis-open.org>
     >  > Subject: Re: Fw: undefined
     >  > Date: Fri, 21 May 2004 18:02:04 +0400
     >  > 
     >  > Anne,
     >  > 
     >  > your idea is that requirement to senior role to know all junior roles 
     > is 
     >  > better than 
     >  > junior role knowing all senior roles?
     >  > 
     >  > Aleksey
     >  > 
     >  > 
     >  > 
     >  > 
     >  > Anne Anderson <Anne.Anderson@Sun.COM> 
     >  > 05/21/2004 05:48 PM
     >  > Please respond to
     >  > Anne.Anderson@Sun.COM
     >  > 
     >  > 
     >  > To
     >  > Aleksey Studnev <Aleksey_Studnev@exigengroup.com>
     >  > cc
     >  > XACML TC <xacml@lists.oasis-open.org>
     >  > Subject
     >  > Re: Fw: undefined
     >  > 
     >  > 
     >  > 
     >  > 
     >  > 
     >  > 
     >  > Aleksey,
     >  > 
     >  > The proposal you describe requires the administrator (or the
     >  > policy generation system) of each junior role to "know" each
     >  > senior role that includes it.  That is not scalable to large
     >  > distributed systems of roles.  To use your words, "This opens
     >  > another door for inconsistent policies where these statements are
     >  > wrongly expressed."
     >  > 
     >  > No tool or administrator can know which senior roles include each
     >  > junior role unless the tool is keeping a global index of all the
     >  > policies that is updated every time a policy is changed.
     >  > 
     >  > Having the tool manage only a single <PolicySet> at a time seems
     >  > to me to be a big plus in simplicity and scalability.
     >  > 
     >  > Anne
     >  > 
     >  > On 20 May, Aleksey Studnev writes: Fw: undefined
     >  From: Aleksey Studnev <Aleksey_Studnev@exigengroup.com>
     >  To: Anne.Anderson@Sun.COM
     >  Subject: Fw: undefined
     >  Date: Thu, 20 May 2004 23:21:54 +0400
     >  
     >  Anne,
     >  
     >  sorry for mistake, i of course reversed the hierarchy. It should look 
     >  > like:
     >  
     >  <PolicySet>
     >  <Policy>
     >   <Target>
     >    ResourceAttributeDesignator "role" = AttributeValue "Manager"
     >   </Target>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator 
     >  > "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue 
     > "Aleksey"
     >     ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >    </Target>
     >   </Rule>
     >  </Policy>
     >  
     >  <Policy>
     >   <Target>
     >    ResourceAttributeDesignator "role" = AttributeValue "Employee"
     >   </Target>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator 
     >  > "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Kill 
     >  > Bill"
     >     ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >    </Target>
     >   </Rule>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator "role-id" == AttributeValue "Manager"
     >     ActionAttributeDesignator "action-id" == AttributeValue "grant"
     >    </Target>
     >   </Rule>
     >  </Policy>
     >  
     >  </PolicySet>
     >  
     >  Here Aleksey is Manager and "Kill Bill" is Employee.
     >  
     >  Regards,
     >  
     >  Aleksey
     >  
     >  
     >  Anne,
     >  
     >  lets take that old example with Aleksey Manager. What i propose is to 
     >  > roles assignment policy like:
     >  
     >  
     >  <Policy>
     >   <Target>
     >    ResourceAttributeDesignator "role" = AttributeValue "Manager"
     >   </Target>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator 
     > "urn:oasis:names:xacml:2.0:subject:subject-id" = AttributeValue "Aleksey"
     >     ActionAttributeDesignator "action-id" = AttributeValue "enable"
     >    </Target>
     >   </Rule>
     >   <Rule Effect="Permit">
     >    <Target>
     >     SubjectAttributeDesignator "role-id" == AttributeValue "Employee"
     >     ActionAttributeDesignator "action-id" == AttributeValue "grant"
     >    </Target>
     >   </Rule>
     >  </Policy>
     >  
     >  So Aleksey will be granted role attributes "Employee" and "Manager".
     >  Role policies remains "as is".
     >  Reference ( to "Employee" Permission Policy Set) to be removed from 
     >  > "Manager" permission policy set.
     >  
     >  Regards,
     >  
     >  Aleksey
     >  > 
     >  > -- 
     >  > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
     >  > Sun Microsystems Laboratories
     >  > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
     >  > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
     >  > 
     >  > 
     >  > 
     >  > <br><font size=2 face="sans-serif">Anne,</font>
     >  > <br>
     >  > <br><font size=2 face="sans-serif">your idea is that requirement to 
     > senior
     >  > role to know all junior roles is better than </font>
     >  > <br><font size=2 face="sans-serif">junior role knowing all senior 
     > roles?</font>
     >  > <br>
     >  > <br><font size=2 face="sans-serif">Aleksey</font>
     >  > <br>
     >  > <br>
     >  > <br>
     >  > <br>
     >  > <table width=100%>
     >  > <tr valign=top>
     >  > <td><font size=1 face="sans-serif"><b>Anne Anderson 
     > &lt;Anne.Anderson@Sun.COM&gt;</b>
     >  > </font>
     >  > <p><font size=1 face="sans-serif">05/21/2004 05:48 PM</font>
     >  > <table border>
     >  > <tr valign=top>
     >  > <td bgcolor=white>
     >  > <div align=center><font size=1 face="sans-serif">Please respond to<br>
     >  > Anne.Anderson@Sun.COM</font></div></table>
     >  > <br>
     >  > <td>
     >  > <table width=100%>
     >  > <tr>
     >  > <td>
     >  > <div align=right><font size=1 face="sans-serif">To</font></div>
     >  > <td valign=top><font size=1 face="sans-serif">Aleksey Studnev 
     > &lt;Aleksey_Studnev@exigengroup.com&gt;</font>
     >  > <tr>
     >  > <td>
     >  > <div align=right><font size=1 face="sans-serif">cc</font></div>
     >  > <td valign=top><font size=1 face="sans-serif">XACML TC 
     > &lt;xacml@lists.oasis-open.org&gt;</font>
     >  > <tr>
     >  > <td>
     >  > <div align=right><font size=1 face="sans-serif">Subject</font></div>
     >  > <td valign=top><font size=1 face="sans-serif">Re: Fw: 
     > undefined</font></table>
     >  > <br>
     >  > <table>
     >  > <tr valign=top>
     >  > <td>
     >  > <td></table>
     >  > <br></table>
     >  > <br>
     >  > <br>
     >  > <br><font size=2><tt>Aleksey,<br>
     >  > <br>
     >  > The proposal you describe requires the administrator (or the<br>
     >  > policy generation system) of each junior role to &quot;know&quot; 
     > each<br>
     >  > senior role that includes it. &nbsp;That is not scalable to large<br>
     >  > distributed systems of roles. &nbsp;To use your words, &quot;This 
     > opens<br>
     >  > another door for inconsistent policies where these statements are<br>
     >  > wrongly expressed.&quot;<br>
     >  > <br>
     >  > No tool or administrator can know which senior roles include each<br>
     >  > junior role unless the tool is keeping a global index of all the<br>
     >  > policies that is updated every time a policy is changed.<br>
     >  > <br>
     >  > Having the tool manage only a single &lt;PolicySet&gt; at a time 
     > seems<br>
     >  > to me to be a big plus in simplicity and scalability.<br>
     >  > <br>
     >  > Anne<br>
     >  > <br>
     >  > On 20 May, Aleksey Studnev writes: Fw: undefined<br>
     >  >  &gt; From: Aleksey Studnev &lt;Aleksey_Studnev@exigengroup.com&gt;<br>
     >  >  &gt; To: Anne.Anderson@Sun.COM<br>
     >  >  &gt; Subject: Fw: undefined<br>
     >  >  &gt; Date: Thu, 20 May 2004 23:21:54 +0400<br>
     >  >  &gt; <br>
     >  >  &gt; Anne,<br>
     >  >  &gt; <br>
     >  >  &gt; sorry for mistake, i of course reversed the hierarchy. It should
     >  > look like:<br>
     >  >  &gt; <br>
     >  >  &gt; &lt;PolicySet&gt;<br>
     >  >  &gt; &lt;Policy&gt;<br>
     >  >  &gt; &nbsp;&lt;Target&gt;<br>
     >  >  &gt; &nbsp; ResourceAttributeDesignator &quot;role&quot; = 
     > AttributeValue
     >  > &quot;Manager&quot;<br>
     >  >  &gt; &nbsp;&lt;/Target&gt;<br>
     >  >  &gt; &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  >  &gt; &nbsp; &lt;Target&gt;<br>
     >  >  &gt; &nbsp; &nbsp;SubjectAttributeDesignator 
     > &quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot;
     >  > = AttributeValue &quot;Aleksey&quot;<br>
     >  >  &gt; &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = 
     > AttributeValue
     >  > &quot;enable&quot;<br>
     >  >  &gt; &nbsp; &lt;/Target&gt;<br>
     >  >  &gt; &nbsp;&lt;/Rule&gt;<br>
     >  >  &gt; &lt;/Policy&gt;<br>
     >  >  &gt; <br>
     >  >  &gt; &lt;Policy&gt;<br>
     >  >  &gt; &nbsp;&lt;Target&gt;<br>
     >  >  &gt; &nbsp; ResourceAttributeDesignator &quot;role&quot; = 
     > AttributeValue
     >  > &quot;Employee&quot;<br>
     >  >  &gt; &nbsp;&lt;/Target&gt;<br>
     >  >  &gt; &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  >  &gt; &nbsp; &lt;Target&gt;<br>
     >  >  &gt; &nbsp; &nbsp;SubjectAttributeDesignator 
     > &quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot;
     >  > = AttributeValue &quot;Kill Bill&quot;<br>
     >  >  &gt; &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = 
     > AttributeValue
     >  > &quot;enable&quot;<br>
     >  >  &gt; &nbsp; &lt;/Target&gt;<br>
     >  >  &gt; &nbsp;&lt;/Rule&gt;<br>
     >  >  &gt; &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  >  &gt; &nbsp; &lt;Target&gt;<br>
     >  >  &gt; &nbsp; &nbsp;SubjectAttributeDesignator &quot;role-id&quot; == 
     > AttributeValue
     >  > &quot;Manager&quot;<br>
     >  >  &gt; &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; == 
     > AttributeValue
     >  > &quot;grant&quot;<br>
     >  >  &gt; &nbsp; &lt;/Target&gt;<br>
     >  >  &gt; &nbsp;&lt;/Rule&gt;<br>
     >  >  &gt; &lt;/Policy&gt;<br>
     >  >  &gt; <br>
     >  >  &gt; &lt;/PolicySet&gt;<br>
     >  >  &gt; <br>
     >  >  &gt; Here Aleksey is Manager and &quot;Kill Bill&quot; is 
     > Employee.<br>
     >  >  &gt; <br>
     >  >  &gt; Regards,<br>
     >  >  &gt; <br>
     >  >  &gt; Aleksey<br>
     >  >  &gt; <br>
     >  >  &gt; <br>
     >  >  &gt; Anne,<br>
     >  >  &gt; <br>
     >  >  &gt; lets take that old example with Aleksey Manager. What i propose 
     > is
     >  > to roles assignment policy like:<br>
     >  >  &gt; <br>
     >  >  &gt; <br>
     >  >  &gt; &lt;Policy&gt;<br>
     >  >  &gt; &nbsp;&lt;Target&gt;<br>
     >  >  &gt; &nbsp; ResourceAttributeDesignator &quot;role&quot; = 
     > AttributeValue
     >  > &quot;Manager&quot;<br>
     >  >  &gt; &nbsp;&lt;/Target&gt;<br>
     >  >  &gt; &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  >  &gt; &nbsp; &lt;Target&gt;<br>
     >  >  &gt; &nbsp; &nbsp;SubjectAttributeDesignator 
     > &quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot;
     >  > = AttributeValue &quot;Aleksey&quot;<br>
     >  >  &gt; &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = 
     > AttributeValue
     >  > &quot;enable&quot;<br>
     >  >  &gt; &nbsp; &lt;/Target&gt;<br>
     >  >  &gt; &nbsp;&lt;/Rule&gt;<br>
     >  >  &gt; &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  >  &gt; &nbsp; &lt;Target&gt;<br>
     >  >  &gt; &nbsp; &nbsp;SubjectAttributeDesignator &quot;role-id&quot; == 
     > AttributeValue
     >  > &quot;Employee&quot;<br>
     >  >  &gt; &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; == 
     > AttributeValue
     >  > &quot;grant&quot;<br>
     >  >  &gt; &nbsp; &lt;/Target&gt;<br>
     >  >  &gt; &nbsp;&lt;/Rule&gt;<br>
     >  >  &gt; &lt;/Policy&gt;<br>
     >  >  &gt; <br>
     >  >  &gt; So Aleksey will be granted role attributes &quot;Employee&quot; 
     > and
     >  > &quot;Manager&quot;.<br>
     >  >  &gt; Role policies remains &quot;as is&quot;.<br>
     >  >  &gt; Reference ( to &quot;Employee&quot; Permission Policy Set) to be
     >  > removed from &quot;Manager&quot; permission policy set.<br>
     >  >  &gt; <br>
     >  >  &gt; Regards,<br>
     >  >  &gt; <br>
     >  >  &gt; Aleksey<br>
     >  > <br>
     >  > -- <br>
     >  > Anne H. Anderson &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Email: 
     > Anne.Anderson@Sun.COM<br>
     >  > Sun Microsystems Laboratories<br>
     >  > 1 Network Drive,UBUR02-311 &nbsp; &nbsp; Tel: 781/442-0928<br>
     >  > Burlington, MA 01803-0902 USA &nbsp;Fax: 781/442-1692<br>
     >  > <br>
     >  > </tt></font>
     >  > <br>
     > 
     > -- 
     > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
     > Sun Microsystems Laboratories
     > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
     > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
     > 
     > 
     > 
     > <br><font size=2 face="sans-serif">Anne,</font>
     > <br>
     > <br><font size=2 face="sans-serif">in this sense (&quot;</font><font size=2><tt>*immediately*</tt></font><font size=2 face="sans-serif">
     > issue&quot;) we are on the same page. With my proposal you only need</font>
     > <br><font size=2 face="sans-serif">to include immedeate roles as well.
     > I will add another role (Superuser which is senior to Manager) to demonstrate
     > that:</font>
     > <br>
     > <br><font size=2><tt>&lt;PolicySet&gt;<br>
     > &lt;Policy&gt;<br>
     >  &nbsp;&lt;Target&gt;<br>
     >  &nbsp; ResourceAttributeDesignator &quot;role&quot; = AttributeValue &quot;Superuser&quot;<br>
     >  &nbsp;&lt;/Target&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator &nbsp;&quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot;
     > = AttributeValue &quot;Anne&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = AttributeValue
     > &quot;enable&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &lt;/Policy&gt;</tt></font>
     > <br><font size=2><tt><br>
     > &lt;Policy&gt;<br>
     >  &nbsp;&lt;Target&gt;<br>
     >  &nbsp; ResourceAttributeDesignator &quot;role&quot; = AttributeValue &quot;Manager&quot;<br>
     >  &nbsp;&lt;/Target&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator &nbsp;&quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot;
     > = AttributeValue &quot;Aleksey&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = AttributeValue
     > &quot;enable&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator &quot;role-id&quot; == AttributeValue
     > &quot;Superuser&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; == AttributeValue
     > &quot;grant&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &lt;/Policy&gt;<br>
     >  <br>
     >  &lt;Policy&gt;<br>
     >  &nbsp;&lt;Target&gt;<br>
     >  &nbsp; ResourceAttributeDesignator &quot;role&quot; = AttributeValue &quot;Employee&quot;<br>
     >  &nbsp;&lt;/Target&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator &quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot;
     > = AttributeValue &quot;Kill Bill&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = AttributeValue
     > &quot;enable&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator &quot;role-id&quot; == AttributeValue
     > &quot;Manager&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; == AttributeValue
     > &quot;grant&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &lt;/Policy&gt;<br>
     >  <br>
     >  &lt;/PolicySet&gt;</tt></font>
     > <br>
     > <br><font size=2 face="sans-serif">The major difference as you correcty
     > noted is &quot;</font><font size=2><tt>Having more senior roles control
     > which junior roles they include<br>
     > fits the hierarchical model better than having junior roles<br>
     > control the entire chain of senior roles that include them.</tt></font><font size=2 face="sans-serif">&quot;</font>
     > <br><font size=2 face="sans-serif">With exception of &quot;</font><font size=2><tt>entire
     > chain</tt></font><font size=2 face="sans-serif">&quot; words i understand
     > and tend to agree with this statement.</font>
     > <br>
     > <br>
     > <br><font size=2 face="sans-serif">Regards,</font>
     > <br><font size=2 face="sans-serif">Aleksey</font>
     > <br>
     > <br>
     > <br>
     > <table width=100%>
     > <tr valign=top>
     > <td><font size=1 face="sans-serif"><b>Anne Anderson &lt;Anne.Anderson@Sun.COM&gt;</b>
     > </font>
     > <p><font size=1 face="sans-serif">05/21/2004 06:29 PM</font>
     > <table border>
     > <tr valign=top>
     > <td bgcolor=white>
     > <div align=center><font size=1 face="sans-serif">Please respond to<br>
     > Anne.Anderson@Sun.COM</font></div></table>
     > <br>
     > <td>
     > <table width=100%>
     > <tr>
     > <td>
     > <div align=right><font size=1 face="sans-serif">To</font></div>
     > <td valign=top><font size=1 face="sans-serif">Aleksey Studnev &lt;Aleksey_Studnev@exigengroup.com&gt;</font>
     > <tr>
     > <td>
     > <div align=right><font size=1 face="sans-serif">cc</font></div>
     > <td valign=top><font size=1 face="sans-serif">XACML TC &lt;xacml@lists.oasis-open.org&gt;</font>
     > <tr>
     > <td>
     > <div align=right><font size=1 face="sans-serif">Subject</font></div>
     > <td valign=top><font size=1 face="sans-serif">Re: Fw: undefined</font></table>
     > <br>
     > <table>
     > <tr valign=top>
     > <td>
     > <td></table>
     > <br></table>
     > <br>
     > <br>
     > <br><font size=2><tt>No, with my proposal, the senior role only needs to
     > know the<br>
     > junior roles it *immediately* includes. &nbsp;It does not need to know<br>
     > the even more junior roles that those include, since the normal<br>
     > XACML PDP processing rules follow nested roles.<br>
     > <br>
     > It is much easier (and more realistic) to manage what *immediate*<br>
     > junior roles a senior role should include that to try to manage<br>
     > the *entire chain* of senior roles that include each junior role.<br>
     > Having more senior roles control which junior roles they include<br>
     > fits the hierarchical model better than having junior roles<br>
     > control the entire chain of senior roles that include them.<br>
     > <br>
     > Anne<br>
     > <br>
     > On 21 May, Aleksey Studnev writes: Re: Fw: undefined<br>
     >  &gt; From: Aleksey Studnev &lt;Aleksey_Studnev@exigengroup.com&gt;<br>
     >  &gt; To: Anne.Anderson@Sun.COM<br>
     >  &gt; Cc: XACML TC &lt;xacml@lists.oasis-open.org&gt;<br>
     >  &gt; Subject: Re: Fw: undefined<br>
     >  &gt; Date: Fri, 21 May 2004 18:02:04 +0400<br>
     >  &gt; <br>
     >  &gt; Anne,<br>
     >  &gt; <br>
     >  &gt; your idea is that requirement to senior role to know all junior roles
     > is <br>
     >  &gt; better than <br>
     >  &gt; junior role knowing all senior roles?<br>
     >  &gt; <br>
     >  &gt; Aleksey<br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; Anne Anderson &lt;Anne.Anderson@Sun.COM&gt; <br>
     >  &gt; 05/21/2004 05:48 PM<br>
     >  &gt; Please respond to<br>
     >  &gt; Anne.Anderson@Sun.COM<br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; To<br>
     >  &gt; Aleksey Studnev &lt;Aleksey_Studnev@exigengroup.com&gt;<br>
     >  &gt; cc<br>
     >  &gt; XACML TC &lt;xacml@lists.oasis-open.org&gt;<br>
     >  &gt; Subject<br>
     >  &gt; Re: Fw: undefined<br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; Aleksey,<br>
     >  &gt; <br>
     >  &gt; The proposal you describe requires the administrator (or the<br>
     >  &gt; policy generation system) of each junior role to &quot;know&quot;
     > each<br>
     >  &gt; senior role that includes it. &nbsp;That is not scalable to large<br>
     >  &gt; distributed systems of roles. &nbsp;To use your words, &quot;This
     > opens<br>
     >  &gt; another door for inconsistent policies where these statements are<br>
     >  &gt; wrongly expressed.&quot;<br>
     >  &gt; <br>
     >  &gt; No tool or administrator can know which senior roles include each<br>
     >  &gt; junior role unless the tool is keeping a global index of all the<br>
     >  &gt; policies that is updated every time a policy is changed.<br>
     >  &gt; <br>
     >  &gt; Having the tool manage only a single &lt;PolicySet&gt; at a time
     > seems<br>
     >  &gt; to me to be a big plus in simplicity and scalability.<br>
     >  &gt; <br>
     >  &gt; Anne<br>
     >  &gt; <br>
     >  &gt; On 20 May, Aleksey Studnev writes: Fw: undefined<br>
     >  From: Aleksey Studnev &lt;Aleksey_Studnev@exigengroup.com&gt;<br>
     >  To: Anne.Anderson@Sun.COM<br>
     >  Subject: Fw: undefined<br>
     >  Date: Thu, 20 May 2004 23:21:54 +0400<br>
     >  <br>
     >  Anne,<br>
     >  <br>
     >  sorry for mistake, i of course reversed the hierarchy. It should look
     > <br>
     >  &gt; like:<br>
     >  <br>
     >  &lt;PolicySet&gt;<br>
     >  &lt;Policy&gt;<br>
     >  &nbsp;&lt;Target&gt;<br>
     >  &nbsp; ResourceAttributeDesignator &quot;role&quot; = AttributeValue &quot;Manager&quot;<br>
     >  &nbsp;&lt;/Target&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator <br>
     >  &gt; &quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot; = AttributeValue
     > &quot;Aleksey&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = AttributeValue
     > &quot;enable&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &lt;/Policy&gt;<br>
     >  <br>
     >  &lt;Policy&gt;<br>
     >  &nbsp;&lt;Target&gt;<br>
     >  &nbsp; ResourceAttributeDesignator &quot;role&quot; = AttributeValue &quot;Employee&quot;<br>
     >  &nbsp;&lt;/Target&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator <br>
     >  &gt; &quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot; = AttributeValue
     > &quot;Kill <br>
     >  &gt; Bill&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = AttributeValue
     > &quot;enable&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator &quot;role-id&quot; == AttributeValue
     > &quot;Manager&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; == AttributeValue
     > &quot;grant&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &lt;/Policy&gt;<br>
     >  <br>
     >  &lt;/PolicySet&gt;<br>
     >  <br>
     >  Here Aleksey is Manager and &quot;Kill Bill&quot; is Employee.<br>
     >  <br>
     >  Regards,<br>
     >  <br>
     >  Aleksey<br>
     >  <br>
     >  <br>
     >  Anne,<br>
     >  <br>
     >  lets take that old example with Aleksey Manager. What i propose is to
     > <br>
     >  &gt; roles assignment policy like:<br>
     >  <br>
     >  <br>
     >  &lt;Policy&gt;<br>
     >  &nbsp;&lt;Target&gt;<br>
     >  &nbsp; ResourceAttributeDesignator &quot;role&quot; = AttributeValue &quot;Manager&quot;<br>
     >  &nbsp;&lt;/Target&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator &nbsp;&quot;urn:oasis:names:xacml:2.0:subject:subject-id&quot;
     > = AttributeValue &quot;Aleksey&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; = AttributeValue
     > &quot;enable&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &nbsp;&lt;Rule Effect=&quot;Permit&quot;&gt;<br>
     >  &nbsp; &lt;Target&gt;<br>
     >  &nbsp; &nbsp;SubjectAttributeDesignator &quot;role-id&quot; == AttributeValue
     > &quot;Employee&quot;<br>
     >  &nbsp; &nbsp;ActionAttributeDesignator &quot;action-id&quot; == AttributeValue
     > &quot;grant&quot;<br>
     >  &nbsp; &lt;/Target&gt;<br>
     >  &nbsp;&lt;/Rule&gt;<br>
     >  &lt;/Policy&gt;<br>
     >  <br>
     >  So Aleksey will be granted role attributes &quot;Employee&quot; and &quot;Manager&quot;.<br>
     >  Role policies remains &quot;as is&quot;.<br>
     >  Reference ( to &quot;Employee&quot; Permission Policy Set) to be removed
     > from <br>
     >  &gt; &quot;Manager&quot; permission policy set.<br>
     >  <br>
     >  Regards,<br>
     >  <br>
     >  Aleksey<br>
     >  &gt; <br>
     >  &gt; -- <br>
     >  &gt; Anne H. Anderson &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Email:
     > Anne.Anderson@Sun.COM<br>
     >  &gt; Sun Microsystems Laboratories<br>
     >  &gt; 1 Network Drive,UBUR02-311 &nbsp; &nbsp; Tel: 781/442-0928<br>
     >  &gt; Burlington, MA 01803-0902 USA &nbsp;Fax: 781/442-1692<br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; <br>
     >  &gt; &lt;br&gt;&lt;font size=2 face=&quot;sans-serif&quot;&gt;Anne,&lt;/font&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;br&gt;&lt;font size=2 face=&quot;sans-serif&quot;&gt;your idea
     > is that requirement to senior<br>
     >  &gt; role to know all junior roles is better than &lt;/font&gt;<br>
     >  &gt; &lt;br&gt;&lt;font size=2 face=&quot;sans-serif&quot;&gt;junior role
     > knowing all senior roles?&lt;/font&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;br&gt;&lt;font size=2 face=&quot;sans-serif&quot;&gt;Aleksey&lt;/font&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;table width=100%&gt;<br>
     >  &gt; &lt;tr valign=top&gt;<br>
     >  &gt; &lt;td&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;&lt;b&gt;Anne
     > Anderson &amp;lt;Anne.Anderson@Sun.COM&amp;gt;&lt;/b&gt;<br>
     >  &gt; &lt;/font&gt;<br>
     >  &gt; &lt;p&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;05/21/2004
     > 05:48 PM&lt;/font&gt;<br>
     >  &gt; &lt;table border&gt;<br>
     >  &gt; &lt;tr valign=top&gt;<br>
     >  &gt; &lt;td bgcolor=white&gt;<br>
     >  &gt; &lt;div align=center&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;Please
     > respond to&lt;br&gt;<br>
     >  &gt; Anne.Anderson@Sun.COM&lt;/font&gt;&lt;/div&gt;&lt;/table&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;td&gt;<br>
     >  &gt; &lt;table width=100%&gt;<br>
     >  &gt; &lt;tr&gt;<br>
     >  &gt; &lt;td&gt;<br>
     >  &gt; &lt;div align=right&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;To&lt;/font&gt;&lt;/div&gt;<br>
     >  &gt; &lt;td valign=top&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;Aleksey
     > Studnev &amp;lt;Aleksey_Studnev@exigengroup.com&amp;gt;&lt;/font&gt;<br>
     >  &gt; &lt;tr&gt;<br>
     >  &gt; &lt;td&gt;<br>
     >  &gt; &lt;div align=right&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;cc&lt;/font&gt;&lt;/div&gt;<br>
     >  &gt; &lt;td valign=top&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;XACML
     > TC &amp;lt;xacml@lists.oasis-open.org&amp;gt;&lt;/font&gt;<br>
     >  &gt; &lt;tr&gt;<br>
     >  &gt; &lt;td&gt;<br>
     >  &gt; &lt;div align=right&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;Subject&lt;/font&gt;&lt;/div&gt;<br>
     >  &gt; &lt;td valign=top&gt;&lt;font size=1 face=&quot;sans-serif&quot;&gt;Re:
     > Fw: undefined&lt;/font&gt;&lt;/table&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;table&gt;<br>
     >  &gt; &lt;tr valign=top&gt;<br>
     >  &gt; &lt;td&gt;<br>
     >  &gt; &lt;td&gt;&lt;/table&gt;<br>
     >  &gt; &lt;br&gt;&lt;/table&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;br&gt;&lt;font size=2&gt;&lt;tt&gt;Aleksey,&lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; The proposal you describe requires the administrator (or the&lt;br&gt;<br>
     >  &gt; policy generation system) of each junior role to &amp;quot;know&amp;quot;
     > each&lt;br&gt;<br>
     >  &gt; senior role that includes it. &amp;nbsp;That is not scalable to large&lt;br&gt;<br>
     >  &gt; distributed systems of roles. &amp;nbsp;To use your words, &amp;quot;This
     > opens&lt;br&gt;<br>
     >  &gt; another door for inconsistent policies where these statements are&lt;br&gt;<br>
     >  &gt; wrongly expressed.&amp;quot;&lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; No tool or administrator can know which senior roles include each&lt;br&gt;<br>
     >  &gt; junior role unless the tool is keeping a global index of all the&lt;br&gt;<br>
     >  &gt; policies that is updated every time a policy is changed.&lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; Having the tool manage only a single &amp;lt;PolicySet&amp;gt; at
     > a time seems&lt;br&gt;<br>
     >  &gt; to me to be a big plus in simplicity and scalability.&lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; Anne&lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; On 20 May, Aleksey Studnev writes: Fw: undefined&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; From: Aleksey Studnev &amp;lt;Aleksey_Studnev@exigengroup.com&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; To: Anne.Anderson@Sun.COM&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Subject: Fw: undefined&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Date: Thu, 20 May 2004 23:21:54 +0400&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Anne,&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; sorry for mistake, i of course reversed the hierarchy.
     > It should<br>
     >  &gt; look like:&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;lt;PolicySet&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;lt;Policy&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; ResourceAttributeDesignator &amp;quot;role&amp;quot;
     > = AttributeValue<br>
     >  &gt; &amp;quot;Manager&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;/Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;Rule Effect=&amp;quot;Permit&amp;quot;&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;SubjectAttributeDesignator &amp;quot;urn:oasis:names:xacml:2.0:subject:subject-id&amp;quot;<br>
     >  &gt; = AttributeValue &amp;quot;Aleksey&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;ActionAttributeDesignator &amp;quot;action-id&amp;quot;
     > = AttributeValue<br>
     >  &gt; &amp;quot;enable&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;/Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;/Rule&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;lt;/Policy&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;lt;Policy&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; ResourceAttributeDesignator &amp;quot;role&amp;quot;
     > = AttributeValue<br>
     >  &gt; &amp;quot;Employee&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;/Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;Rule Effect=&amp;quot;Permit&amp;quot;&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;SubjectAttributeDesignator &amp;quot;urn:oasis:names:xacml:2.0:subject:subject-id&amp;quot;<br>
     >  &gt; = AttributeValue &amp;quot;Kill Bill&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;ActionAttributeDesignator &amp;quot;action-id&amp;quot;
     > = AttributeValue<br>
     >  &gt; &amp;quot;enable&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;/Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;/Rule&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;Rule Effect=&amp;quot;Permit&amp;quot;&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;SubjectAttributeDesignator &amp;quot;role-id&amp;quot;
     > == AttributeValue<br>
     >  &gt; &amp;quot;Manager&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;ActionAttributeDesignator &amp;quot;action-id&amp;quot;
     > == AttributeValue<br>
     >  &gt; &amp;quot;grant&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;/Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;/Rule&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;lt;/Policy&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;lt;/PolicySet&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Here Aleksey is Manager and &amp;quot;Kill Bill&amp;quot;
     > is Employee.&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Regards,&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Aleksey&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Anne,&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; lets take that old example with Aleksey Manager. What
     > i propose is<br>
     >  &gt; to roles assignment policy like:&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;lt;Policy&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; ResourceAttributeDesignator &amp;quot;role&amp;quot;
     > = AttributeValue<br>
     >  &gt; &amp;quot;Manager&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;/Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;Rule Effect=&amp;quot;Permit&amp;quot;&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;SubjectAttributeDesignator &amp;quot;urn:oasis:names:xacml:2.0:subject:subject-id&amp;quot;<br>
     >  &gt; = AttributeValue &amp;quot;Aleksey&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;ActionAttributeDesignator &amp;quot;action-id&amp;quot;
     > = AttributeValue<br>
     >  &gt; &amp;quot;enable&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;/Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;/Rule&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;Rule Effect=&amp;quot;Permit&amp;quot;&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;SubjectAttributeDesignator &amp;quot;role-id&amp;quot;
     > == AttributeValue<br>
     >  &gt; &amp;quot;Employee&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;nbsp;ActionAttributeDesignator &amp;quot;action-id&amp;quot;
     > == AttributeValue<br>
     >  &gt; &amp;quot;grant&amp;quot;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp; &amp;lt;/Target&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;nbsp;&amp;lt;/Rule&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &amp;lt;/Policy&amp;gt;&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; So Aleksey will be granted role attributes &amp;quot;Employee&amp;quot;
     > and<br>
     >  &gt; &amp;quot;Manager&amp;quot;.&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Role policies remains &amp;quot;as is&amp;quot;.&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Reference ( to &amp;quot;Employee&amp;quot; Permission
     > Policy Set) to be<br>
     >  &gt; removed from &amp;quot;Manager&amp;quot; permission policy set.&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Regards,&lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; &lt;br&gt;<br>
     >  &gt; &nbsp;&amp;gt; Aleksey&lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; -- &lt;br&gt;<br>
     >  &gt; Anne H. Anderson &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;
     > &amp;nbsp; Email: Anne.Anderson@Sun.COM&lt;br&gt;<br>
     >  &gt; Sun Microsystems Laboratories&lt;br&gt;<br>
     >  &gt; 1 Network Drive,UBUR02-311 &amp;nbsp; &amp;nbsp; Tel: 781/442-0928&lt;br&gt;<br>
     >  &gt; Burlington, MA 01803-0902 USA &amp;nbsp;Fax: 781/442-1692&lt;br&gt;<br>
     >  &gt; &lt;br&gt;<br>
     >  &gt; &lt;/tt&gt;&lt;/font&gt;<br>
     >  &gt; &lt;br&gt;<br>
     > <br>
     > -- <br>
     > Anne H. Anderson &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Email: Anne.Anderson@Sun.COM<br>
     > Sun Microsystems Laboratories<br>
     > 1 Network Drive,UBUR02-311 &nbsp; &nbsp; Tel: 781/442-0928<br>
     > Burlington, MA 01803-0902 USA &nbsp;Fax: 781/442-1692<br>
     > <br>
     > </tt></font>
     > <br>
    
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]