MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml] summary of Frank's delegation proposal
Daniel Engovatov wrote:
>>(as admin and delegation policy statement are about policies about
>>policies, maybe we should call them meta-policies ;-)
>
>
> That is about what I thought.
>
> My interpretation of the "delegation" term, is a transmission of access
> decisions within single policy - mapping of context space onto itself.
> That means - if access is given for one state of context -> delegate it
> to some other state of context (other subject etc.). Here you are
> talking about mapping in between different contexts, policies.
>
> Any good references on the usage of the "delegation"?
Its usage is all over the map...
I'd like to think in terms of "delegation of rights", which makes it slightly
more explicit.
The presented model only supports a policy statement about the delegation of
administrative rights not access rights.
In order to allow someone to delegate her access rights, we would need two
policy statements: one policy statement that gives her the access rights, and an
other policy statement that gives her the right to administer the access right
for certain users on that resource.
Note that the latter policy statement is a pure administrative statement and
does not imply any delegation of rights; only the two statements taken together
constitute a "delegation of access right" capability.
(Ough...)
-Frank.
--
Frank Siebenlist franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]