You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Vincent Tence (JIRA)" <di...@incubator.apache.org> on 2004/11/19 03:36:27 UTC
[jira] Resolved: (DIRJANUS-23) Rewrite authorization to use a rule based strategy
[ http://nagoya.apache.org/jira/browse/DIRJANUS-23?page=history ]
Vincent Tence resolved DIRJANUS-23:
-----------------------------------
Resolution: Fixed
Implemented in sanbox
> Rewrite authorization to use a rule based strategy
> --------------------------------------------------
>
> Key: DIRJANUS-23
> URL: http://nagoya.apache.org/jira/browse/DIRJANUS-23
> Project: Directory Janus
> Type: Improvement
> Components: Core
> Reporter: Vincent Tence
> Assignee: Vincent Tence
>
> Currently, the focus on Role Based Access Control is too strong and the code cannot accomodate other security policy needs. A better approach is to use a rule based strategy.
> Rules are domain specific. A rule generally governs a set of permissions and applies to a set of subjects. If a rule condition is satisfied, the consequence is that the rule effect applies. Otherwise the rule is not applicable or the rule effect is indeterminate.
> Following are examples of rules:
> 1. A person is granted read access to medical files if the person's role is Doctor
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is in role doctor
> Effect is grant permission
> 2. A person is denied read access to medical files if the person's role is not doctor or indeterminate
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is not in role doctor or subject's role is indeterminate
> Effect is deny permission
> Generally, the condition is evaluated based on attributes of the subject. In the previous examples, prior to authorization, subject will be populated with the required attributes (i.e Doctor role).
> A policy will hold a set of rules and an algorithm for combining rule effects. When multiple rule effects apply, a decision process needs to take place.
> The Authorizer will based its final decision on outcome of the different applicable policies for the given permission and given subject.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira