directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Minggui_C...@ibi.com>
Subject RE: Can rules support dynamical role promotion?
Date Fri, 25 Mar 2005 16:27:37 GMT
Thanks for your answer. I do agree.

-----Original Message-----
From: Vincent Tence [mailto:vtence@videotron.ca]
Sent: Thursday, March 24, 2005 4:06 PM
To: users@directory.apache.org
Subject: RE: Can rules support dynamical role promotion?



> Vincent:
> I have done quite some research on RBAC these days. I found the most
> confusing point is how to define the policy to link a subject to an
> object. And that's what I am thinking what AuthX is doing.

If you mean that AuthX let you specify rules that depends on the data
being accessed, the answer is yes. I don't know how to do that with RBAC.

> However, with a
> large user system with complicated rules, it seems that we need to define
> a rule syntax and schema, so we could exchange (import/export) between
> different systems.
> Am I right?

AuthX is a just framework for building a secure application. It's not a
spec ;-) That would have to be build on top of AuthX I suppose.

>
> Minggui
>
> -----Original Message-----
> From: Vincent Tence [mailto:vtence@videotron.ca]
> Sent: Monday, March 21, 2005 2:39 PM
> To: users@directory.apache.org
> Subject: Re: Can rules support dynamical role promotion?
>
>
>> Vincent:
>>
>> I come to realize Rule Base Access Control has much more advantages over
>> Role Based, for its flexibility and extensibility.
>
> I came to the same conclusion. When AuthX ancestor was born at
> sourceforge, I came accross the limitations of Role Based Access Control.
> I believe Rule Based is much more powerful but is a harder to implement
> and configure.
>
>> But is there a clear
>> design rule on the Rules themselves?
>
> The only requirement for the rule is to vote on an authorization request.
> The Rule interface captures this:
>
> public interface Rule
> {
>     void evaluate( AuthorizationRequest request );
> }
>
>> RBAC is a standard and defines
>> hierarchical roles and SOD, but how could it be addressed inside the
>> Rule?
>
> The idea is that rules will use information contained in the Subject in
> the form of Principals to decide on an authorization request vote. What
> this means for Role Based Access Control is that the subject is populated
> with RolePrincipal(s) during the authentication process. Those principals
> will be subsequently used by the rules.
>
> Role hierarchy is really easy to implement this way. Have a look at the
> code in core/org.apache.authx.authentication.attribute and the example app
> for an application of this.
>
> Cheers,
> -- Vincent
>


Mime
View raw message