You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Vincent Tence (JIRA)" <di...@incubator.apache.org> on 2004/11/19 03:36:27 UTC

[jira] Resolved: (DIRJANUS-23) Rewrite authorization to use a rule based strategy

     [ http://nagoya.apache.org/jira/browse/DIRJANUS-23?page=history ]
     
Vincent Tence resolved DIRJANUS-23:
-----------------------------------

    Resolution: Fixed

Implemented in sanbox

> Rewrite authorization to use a rule based strategy
> --------------------------------------------------
>
>          Key: DIRJANUS-23
>          URL: http://nagoya.apache.org/jira/browse/DIRJANUS-23
>      Project: Directory Janus
>         Type: Improvement
>   Components: Core
>     Reporter: Vincent Tence
>     Assignee: Vincent Tence

>
> Currently, the focus on Role Based Access Control is too strong and the code cannot accomodate other security policy needs. A better approach is to use a rule based strategy.
> Rules are domain specific. A rule generally governs a set of permissions and applies to a set of subjects. If a rule condition is satisfied, the consequence is that the rule effect applies. Otherwise the rule is not applicable or the rule effect is indeterminate. 
> Following are examples of rules:
> 1. A person is granted read access to medical files if the person's role is Doctor
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is in role doctor
> Effect is grant permission
> 2. A person is denied read access to medical files if the person's role is not doctor or indeterminate
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is not in role doctor or subject's role is indeterminate
> Effect is deny permission
> Generally, the condition is evaluated based on attributes of the subject. In the previous examples, prior to authorization, subject will be populated with the required attributes (i.e Doctor role).
> A policy will hold a set of rules and an algorithm for combining rule effects. When multiple rule effects apply, a decision process needs to take place.
> The Authorizer will based its final decision on outcome of the different applicable policies for the given permission and given subject.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira