directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Tence <>
Subject Re: Can rules support dynamical role promotion?
Date Mon, 21 Mar 2005 19:39:25 GMT
> Vincent:
> I come to realize Rule Base Access Control has much more advantages over
> Role Based, for its flexibility and extensibility.

I came to the same conclusion. When AuthX ancestor was born at
sourceforge, I came accross the limitations of Role Based Access Control.
I believe Rule Based is much more powerful but is a harder to implement
and configure.

> But is there a clear
> design rule on the Rules themselves?

The only requirement for the rule is to vote on an authorization request.
The Rule interface captures this:

public interface Rule
    void evaluate( AuthorizationRequest request );

> RBAC is a standard and defines
> hierarchical roles and SOD, but how could it be addressed inside the Rule?

The idea is that rules will use information contained in the Subject in
the form of Principals to decide on an authorization request vote. What
this means for Role Based Access Control is that the subject is populated
with RolePrincipal(s) during the authentication process. Those principals
will be subsequently used by the rules.

Role hierarchy is really easy to implement this way. Have a look at the
code in core/org.apache.authx.authentication.attribute and the example app
for an application of this.

-- Vincent

View raw message