OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

XACML Profile for Role Based Access Control (RBAC)

  • 1.  XACML Profile for Role Based Access Control (RBAC)

    Posted 02-13-2004 14:32
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: XACML Profile for Role Based Access Control (RBAC)


    Colleagues,
    
    I have re-formatted the RBAC profile as a Committee
    Specification, and this new version is attached as a PDF file.  I
    have cleaned up lots of formatting, spelling, grammar,
    etc. errors that were in the working draft.
    
    Three notes, the first of which concerns a change that perhaps
    exceeds the bounds of editorial discretion:
    
    1) Section 1.5 Multi-Role Permissions
    
       Previously, this non-normative section said:
    
         "The permissions associated with a given Multi-Role
         <PolicySet>, however, may be inherited only by other
         multi-role policies that require a superset of the roles
         required by the given multi-role policy.  This is because
         the <Target> of the Role <PermissionSet> associated with the
         multi-role policy will screen out any Subject that does not
         possess at least the set of roles required by the given
         multi-role policy."
    
       During my close edit reading, I realized that this statement
       is incorrect and also conflicts with the rest of the document;
       it assumed that the other role would include the multi-role
       Role <PolicySet>, which include the role-restricting Target,
       rather than the multi-role Permission <PolicySet>, which
       contains an "any" Target.  Elsewhere, the text is very clear
       that to include the permissions of another role, you include
       that role's Permission <PolicySet>, not that role's Role
       <PolicySet>.
    
       I have reworded this to say:
    
         "The permissions associated with a given multi-role <PolicySet>
         may also be inherited by another role if the other role
         includes a reference to the Permission <PolicySet> associated
         with the multi-role policy in its own Permission <PolicySet>."
    
       If anyone objects to this change, please say so.
    
    2) The line numbers in the examples use a different line number
       sequence from the line numbers in the rest of the text.  This
       seems to be a "feature" of StarOffice, so I hope you can live
       with it.  The line numbers in the examples end in a ".",
       whereas the line numbers in the text do not, so it is possible
       to specify the series of numbers to which you are referring.
    
    3) The document's title page says its location is
       "http://docs/oasis-open.org/xacml/cs-xacml-rbac-profile-01.pdf";.
       The document is not located there now (since this edit has not
       been approved yet), but will be uploaded into the location by
       the OASIS webmaster once I give her the version to use.  This
       makes use of a little-known OASIS manual mechanism for
       reserving a URL for use by a committee specification or
       standard rather than using the Kavi repository, which assigns
       the URL only as it is being uploaded.
    
    I will wait a decision from the chairs as to when this version
    should be uploaded as the accepted Committee Specification.
    
    Anne
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    

    XACML Profile for Role Based Access Control (RBAC)



    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]