OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] Proposed standard for RBAC. Forwarded message from Anne Anderson.

  • 1.  [xacml] Proposed standard for RBAC. Forwarded message from Anne Anderson.

    Posted 04-15-2003 14:48
    Carlisle and Hal,
    Edwin DeSouza pointed me to this proposed "voluntary consensus
    standard".   I did a quick read, and believe there requirements
    can be met easily with profiles of XACML.
    Could you try to set up a joint call with the NIST team that is
    working on this standard to see if we can work together?  It does
    not seem beneficial to the industry to have competing standards
    for access control.
    ------- start of forwarded message -------
    From: Anne Anderson <Anne.Anderson@sun.com>
    To: David Ferraiolo <david.ferraiolo@nist.gov>, Rick Kuhn <kuhn@nist.gov>,
       Ramaswamy Chandramouli <mouli@nist.gov>, John Barkley <jbarkley@nist.gov>,
    Subject: [xacml] Proposed standard for RBAC
    Date: Tue, 15 Apr 2003 10:40:13 -0400
    http://csrc.nist.gov/rbac/ proposes a "voluntary consensus
    standard for role based access control", available at
    Have you considered building on the OASIS eXtensible Access
    Control Markup Language (XACML)?  This was approved as an OASIS
    Standard in February of 2003, there are two Open Source
    implementations available, and it is receiving generally good
    acceptance by the industry.  For more information, see
    XACML supports the Core RBAC role and permission models quite
    well: multiple roles per user, multiple users per role, multiple
    permissions per role, multiple roles per permission, and
    simultaneous exercise of permissions of multiple roles.  XACML
    does not specify the mechanisms for how role attributes are
    assigned to users, but supports all the above models.  NIST might
    find it advantageous to develop Core RBAC as a profile of XACML,
    rather than trying to create yet another language.
    XACML can also support Hierarchical RBAC ("junior" roles acquire
    the user membership of their "senior roles". and "senior" roles
    acquire the permissions of their "juniors") using XACML's
    mechanism for including one set of policies inside another by
    reference.  NIST again might find it advantageous to profile
    XACML to support Hierarchical RBAC.
    I will ask the XACML Co-Chairs, Carlisle Adams (Entrust) and Hal
    Lockhart (BEA), to see if we can set up a joint conference call
    to discuss ways of working together.  Meanwhile, I expect several
    XACML members will be reviewing the proposed NIST standard
    closely to determine whether there are specific requirements that
    XACML is not currently able to handle.
    Yours truly,
    Anne Anderson
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    ------- end of forwarded message -------
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692