Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Access Control Teleconf 20080520"
(New page: Notes from 20080509 Teleconf * What is in the authZ Subject ID? ** should be able to specify "age is 21 or greater" ** Duane: in xacml the subject or resource can be by name or by query (...) |
|||
| Line 6: | Line 6: | ||
*** The query form becomes fairly unmanageable to write by hand | *** The query form becomes fairly unmanageable to write by hand | ||
** Drummond: could we just use rdf triples? would that be sufficient? | ** Drummond: could we just use rdf triples? would that be sufficient? | ||
| + | ** Let's make some statements about what an AuthN Materials results in: | ||
| + | *** AuthN Materials (when successfully authenticated) will result in entities (virtual or not) that follow the Higgins Data Model. | ||
| + | **** This way, we can make statements like "age => 21" in an access control policy statement's subject identifier or resource identifier. | ||
| + | * How do we say "the subject is anyone as long as they are authenticated"? | ||
| + | ** This might require another bit of data on an access control statement. | ||
| + | *** XACML has something called "conditions" | ||
| + | * What are the semantics of "policy combining"? | ||
| + | ** This is when different policies make (perhaps conflicting) statements regarding a subject or resource. | ||
| + | ** In XACML, there is a policy set for each PDP. A policy set contains policies and perhaps further policy sets. In addition, it has combination rules. | ||
| + | * How does an app know what can be placed in a given CP's AuthZ policy statement? | ||
| + | ** What kinds of actions, conditions, subjects, resources... can be managed? | ||
| + | ** Given a resource and subject, what actions are allowed? | ||
Latest revision as of 15:46, 23 May 2008
Notes from 20080509 Teleconf
- What is in the authZ Subject ID?
- should be able to specify "age is 21 or greater"
- Duane: in xacml the subject or resource can be by name or by query (ie attribute values)
- The query form becomes fairly unmanageable to write by hand
- Drummond: could we just use rdf triples? would that be sufficient?
- Let's make some statements about what an AuthN Materials results in:
- AuthN Materials (when successfully authenticated) will result in entities (virtual or not) that follow the Higgins Data Model.
- This way, we can make statements like "age => 21" in an access control policy statement's subject identifier or resource identifier.
- AuthN Materials (when successfully authenticated) will result in entities (virtual or not) that follow the Higgins Data Model.
- How do we say "the subject is anyone as long as they are authenticated"?
- This might require another bit of data on an access control statement.
- XACML has something called "conditions"
- This might require another bit of data on an access control statement.
- What are the semantics of "policy combining"?
- This is when different policies make (perhaps conflicting) statements regarding a subject or resource.
- In XACML, there is a policy set for each PDP. A policy set contains policies and perhaps further policy sets. In addition, it has combination rules.
- How does an app know what can be placed in a given CP's AuthZ policy statement?
- What kinds of actions, conditions, subjects, resources... can be managed?
- Given a resource and subject, what actions are allowed?