MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml] delegation constraints schema
Simon,
This seems good to me. However, I don't think re-applying the
constraints on the immediate delegate to re-delegates is a good idea. If
someone satisfies the constraints of the immediate delegate, there is no
need for someone else to delegate to him, since he already has the
administrative right himself.
I agree with you that the DelegationConstraint should be optional. If it
is present, re-delegates have to meet it. If it is not present, there is
no constraint on re-delegates.
Best regards, Erik
Simon wrote:
> (See Erik's msg on delegation constraint)
> Delegation constraint can be expressed by having
> <DelegationConstraint> element as a child of <Delegate>
>
> Note that constraints on immediate delegate can be applied to
> re-delegates and then delegation-constraint is not needed.
>
> <Target>
> <Delegate>
> <SubjectMatch>....</SubjectMatch> <- ONE OR MORE (Constraints on
> immediate delegate)
> <DelegationConstraint> <-- OPTIONAL (Constraints on re-delegates)
> <SubjectMatch>....</SubjectMatch> <-- ONE OR MORE
> <SubjectMatch>...</SubjectMatch>
> </DelegationConstraint>
> </Delegate>
> </Target>
>
> Simon
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]