Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Access Control Teleconf 20080520
Notes from 20080509 Teleconf
- What is in the authZ Subject ID?
- should be able to specify "age is 21 or greater"
- Duane: in xacml the subject or resource can be by name or by query (ie attribute values)
- The query form becomes fairly unmanageable to write by hand
- Drummond: could we just use rdf triples? would that be sufficient?
- Let's make some statements about what an AuthN Materials results in:
- AuthN Materials (when successfully authenticated) will result in entities (virtual or not) that follow the Higgins Data Model.
- This way, we can make statements like "age => 21" in an access control policy statement's subject identifier or resource identifier.
- AuthN Materials (when successfully authenticated) will result in entities (virtual or not) that follow the Higgins Data Model.
- How do we say "the subject is anyone as long as they are authenticated"?
- This might require another bit of data on an access control statement.
- XACML has something called "conditions"
- This might require another bit of data on an access control statement.
- What are the semantics of "policy combining"?
- This is when different policies make (perhaps conflicting) statements regarding a subject or resource.
- In XACML, there is a policy set for each PDP. A policy set contains policies and perhaps further policy sets. In addition, it has combination rules.
- How does an app know what can be placed in a given CP's AuthZ policy statement?
- What kinds of actions, conditions, subjects, resources... can be managed?
- Given a resource and subject, what actions are allowed?