directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Tence <>
Subject RE: Can rules support dynamical role promotion?
Date Thu, 24 Mar 2005 21:06:25 GMT

> Vincent:
> I have done quite some research on RBAC these days. I found the most
> confusing point is how to define the policy to link a subject to an
> object. And that's what I am thinking what AuthX is doing.

If you mean that AuthX let you specify rules that depends on the data
being accessed, the answer is yes. I don't know how to do that with RBAC.

> However, with a
> large user system with complicated rules, it seems that we need to define
> a rule syntax and schema, so we could exchange (import/export) between
> different systems.
> Am I right?

AuthX is a just framework for building a secure application. It's not a
spec ;-) That would have to be build on top of AuthX I suppose.

> Minggui
> -----Original Message-----
> From: Vincent Tence []
> Sent: Monday, March 21, 2005 2:39 PM
> To:
> Subject: Re: Can rules support dynamical role promotion?
>> Vincent:
>> I come to realize Rule Base Access Control has much more advantages over
>> Role Based, for its flexibility and extensibility.
> I came to the same conclusion. When AuthX ancestor was born at
> sourceforge, I came accross the limitations of Role Based Access Control.
> I believe Rule Based is much more powerful but is a harder to implement
> and configure.
>> But is there a clear
>> design rule on the Rules themselves?
> The only requirement for the rule is to vote on an authorization request.
> The Rule interface captures this:
> public interface Rule
> {
>     void evaluate( AuthorizationRequest request );
> }
>> RBAC is a standard and defines
>> hierarchical roles and SOD, but how could it be addressed inside the
>> Rule?
> The idea is that rules will use information contained in the Subject in
> the form of Principals to decide on an authorization request vote. What
> this means for Role Based Access Control is that the subject is populated
> with RolePrincipal(s) during the authentication process. Those principals
> will be subsequently used by the rules.
> Role hierarchy is really easy to implement this way. Have a look at the
> code in core/org.apache.authx.authentication.attribute and the example app
> for an application of this.
> Cheers,
> -- Vincent

View raw message