[
https://issues.apache.org/jira/browse/DIR-139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lecharny closed DIR-139.
---------------------------------
Assignee: (was: Vincent Tence)
> Rewrite authorization to use a rule based strategy
> --------------------------------------------------
>
> Key: DIR-139
> URL: https://issues.apache.org/jira/browse/DIR-139
> Project: Directory
> Issue Type: New Feature
> Components: sandbox
> Reporter: Vincent Tence
>
> Currently, the focus on Role Based Access Control is too strong and the code
> cannot accomodate other security policy needs. A better approach is to use a
> rule based strategy.
> Rules are domain specific. A rule generally governs a set of permissions and
> applies to a set of subjects. If a rule condition is satisfied, the
> consequence is that the rule effect applies. Otherwise the rule is not
> applicable or the rule effect is indeterminate.
> Following are examples of rules:
> 1. A person is granted read access to medical files if the person's role is
> Doctor
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is in role doctor
> Effect is grant permission
> 2. A person is denied read access to medical files if the person's role is
> not doctor or indeterminate
> This rule content is:
> governs read access on medical files
> applies to all subjects
> Condition is subject is not in role doctor or subject's role is indeterminate
> Effect is deny permission
> Generally, the condition is evaluated based on attributes of the subject. In
> the previous examples, prior to authorization, subject will be populated with
> the required attributes (i.e Doctor role).
> A policy will hold a set of rules and an algorithm for combining rule
> effects. When multiple rule effects apply, a decision process needs to take
> place.
> The Authorizer will based its final decision on outcome of the different
> applicable policies for the given permission and given subject.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
