directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Closed: (DIR-139) Rewrite authorization to use a rule based strategy
Date Wed, 06 May 2009 15:55:32 GMT

     [ https://issues.apache.org/jira/browse/DIR-139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny closed DIR-139.
---------------------------------

    Assignee:     (was: Vincent Tence)

> Rewrite authorization to use a rule based strategy
> --------------------------------------------------
>
>                 Key: DIR-139
>                 URL: https://issues.apache.org/jira/browse/DIR-139
>             Project: Directory
>          Issue Type: New Feature
>          Components: sandbox
>            Reporter: Vincent Tence
>
> Currently, the focus on Role Based Access Control is too strong and the code cannot accomodate
other security policy needs. A better approach is to use a rule based strategy.
> Rules are domain specific. A rule generally governs a set of permissions and applies
to a set of subjects. If a rule condition is satisfied, the consequence is that the rule effect
applies. Otherwise the rule is not applicable or the rule effect is indeterminate. 
> Following are examples of rules:
> 1. A person is granted read access to medical files if the person's role is Doctor
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is in role doctor
> Effect is grant permission
> 2. A person is denied read access to medical files if the person's role is not doctor
or indeterminate
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is not in role doctor or subject's role is indeterminate
> Effect is deny permission
> Generally, the condition is evaluated based on attributes of the subject. In the previous
examples, prior to authorization, subject will be populated with the required attributes (i.e
Doctor role).
> A policy will hold a set of rules and an algorithm for combining rule effects. When multiple
rule effects apply, a decision process needs to take place.
> The Authorizer will based its final decision on outcome of the different applicable policies
for the given permission and given subject.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message