Can rules support dynamical role promotion?

[Mi...@ibi.com]

Vincent:

I come to realize Rule Base Access Control has much more advantages over Role Based, for its flexibility and extensibility. But is there a clear design rule on the Rules themselves? RBAC is a standard and defines hierarchical roles and SOD, but how could it be addressed inside the Rule?

Thanks

Minggui

Re: Can rules support dynamical role promotion?

[Vincent Tence <vt...@videotron.ca>]

> Vincent:
>
> I come to realize Rule Base Access Control has much more advantages over
> Role Based, for its flexibility and extensibility.

I came to the same conclusion. When AuthX ancestor was born at
sourceforge, I came accross the limitations of Role Based Access Control.
I believe Rule Based is much more powerful but is a harder to implement
and configure.

> But is there a clear
> design rule on the Rules themselves?

The only requirement for the rule is to vote on an authorization request.
The Rule interface captures this:

public interface Rule
{
    void evaluate( AuthorizationRequest request );
}

> RBAC is a standard and defines
> hierarchical roles and SOD, but how could it be addressed inside the Rule?

The idea is that rules will use information contained in the Subject in
the form of Principals to decide on an authorization request vote. What
this means for Role Based Access Control is that the subject is populated
with RolePrincipal(s) during the authentication process. Those principals
will be subsequently used by the rules.

Role hierarchy is really easy to implement this way. Have a look at the
code in core/org.apache.authx.authentication.attribute and the example app
for an application of this.

Cheers,
-- Vincent