directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: Can rules support dynamical role promotion?
Date Thu, 24 Mar 2005 18:45:00 GMT
I have done quite some research on RBAC these days. I found the most confusing point is how
to define the policy to link a subject to an object. And that's what I am thinking what AuthX
is doing. However, with a large user system with complicated rules, it seems that we need
to define a rule syntax and schema, so we could exchange (import/export) between different
Am I right?


-----Original Message-----
From: Vincent Tence []
Sent: Monday, March 21, 2005 2:39 PM
Subject: Re: Can rules support dynamical role promotion?

> Vincent:
> I come to realize Rule Base Access Control has much more advantages over
> Role Based, for its flexibility and extensibility.

I came to the same conclusion. When AuthX ancestor was born at
sourceforge, I came accross the limitations of Role Based Access Control.
I believe Rule Based is much more powerful but is a harder to implement
and configure.

> But is there a clear
> design rule on the Rules themselves?

The only requirement for the rule is to vote on an authorization request.
The Rule interface captures this:

public interface Rule
    void evaluate( AuthorizationRequest request );

> RBAC is a standard and defines
> hierarchical roles and SOD, but how could it be addressed inside the Rule?

The idea is that rules will use information contained in the Subject in
the form of Principals to decide on an authorization request vote. What
this means for Role Based Access Control is that the subject is populated
with RolePrincipal(s) during the authentication process. Those principals
will be subsequently used by the rules.

Role hierarchy is really easy to implement this way. Have a look at the
code in core/org.apache.authx.authentication.attribute and the example app
for an application of this.

-- Vincent

View raw message