directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vincent Tence (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Resolved: (DIRJANUS-23) Rewrite authorization to use a rule based strategy
Date Fri, 19 Nov 2004 02:36:27 GMT
     [ http://nagoya.apache.org/jira/browse/DIRJANUS-23?page=history ]
     
Vincent Tence resolved DIRJANUS-23:
-----------------------------------

    Resolution: Fixed

Implemented in sanbox

> Rewrite authorization to use a rule based strategy
> --------------------------------------------------
>
>          Key: DIRJANUS-23
>          URL: http://nagoya.apache.org/jira/browse/DIRJANUS-23
>      Project: Directory Janus
>         Type: Improvement
>   Components: Core
>     Reporter: Vincent Tence
>     Assignee: Vincent Tence

>
> Currently, the focus on Role Based Access Control is too strong and the code cannot accomodate
other security policy needs. A better approach is to use a rule based strategy.
> Rules are domain specific. A rule generally governs a set of permissions and applies
to a set of subjects. If a rule condition is satisfied, the consequence is that the rule effect
applies. Otherwise the rule is not applicable or the rule effect is indeterminate. 
> Following are examples of rules:
> 1. A person is granted read access to medical files if the person's role is Doctor
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is in role doctor
> Effect is grant permission
> 2. A person is denied read access to medical files if the person's role is not doctor
or indeterminate
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is not in role doctor or subject's role is indeterminate
> Effect is deny permission
> Generally, the condition is evaluated based on attributes of the subject. In the previous
examples, prior to authorization, subject will be populated with the required attributes (i.e
Doctor role).
> A policy will hold a set of rules and an algorithm for combining rule effects. When multiple
rule effects apply, a decision process needs to take place.
> The Authorizer will based its final decision on outcome of the different applicable policies
for the given permission and given subject.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


Mime
View raw message