Ersin Er wrote:
> These can be extended to the following entities:
>
> Policies
> Subjects
> Rules
> Conditions
Where is this from? Is this SUN's commercialized names for things they
have in their access control manager?
Well, these are not only SUN's terminology but generic entity
descriptors that needs to be provided by a powerful access control
system.
What we call Users and Roles in Triplesec can be extended to the term
Subject.
We don't have anything like Rules, although we must have. We just use
abstract strings as David said. But this is not for controlling access
but for storing abstract permission information.
And Conditions are still a required property. Beyond selecting the
subjects and resources, we may need to satisfy more conditions like
Authentication Level, IP Address, LDAP Filter, Time etc.
These all are also proposed by NIST spec and XACML.
Good point.
A permission could indeed be temporal or subject to other bizrules.
-- stephane
