In the last sentence, do you mean a role assignment policy by
'anyone with the X role also has the Y role'?
If so, the role assignment might be done in the authentication step,
not authorization step. If not, could you explain more in detail,
particularly cases that <role> is specified in the <object>.
regards,
Michiharu Kudo
Internet Technology TEL +81-46-215-4642
Tokyo Research Laboratory FAX +81-46-273-7428
IBM Japan Ltd. Internet: kudo@jp.ibm.com
From: Phillip Hallam-Baker <pbaker@verisign.com> on 2001/05/31 19:49
Please respond to Phillip Hallam-Baker <pbaker@verisign.com>
To: Marlena Erdos/Austin/Contr/IBM@IBMUS, "'xacml@lists.oasis-open.org'"
<xacml@lists.oasis-open.org>
cc:
Subject: RE: XACML TC Charter Revision - Strawman
I agree with Marlena, keep the term 'subject' to refer to the principal
regardless of whether it be one principal or a set of principals.
So for example an XACML <Role> could be a principal, indicating that anyone
with the specified Role had the specified relationship to the <Object>.
It is essential to differentiate the occurence of a <role> in the <subject>
and the occurence of a <role> in the <object>. A particular assertion might
even have roles in both locations 'anyone with the X Role also has the Y
role' - very useful for mapping external roles and attributes onto localy
defined roles.
Phill
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227
>