shibboleth-dev - Re: Access Policy strawman
Subject: Shibboleth Developers
List archive
- From: Noah Levitt <>
- To: Scott Cantor <>
- Cc: , ,
- Subject: Re: Access Policy strawman
- Date: Thu, 3 Jun 2004 18:59:58 -0400
- Secret-nsa-message-id: 3b026257dfe9ed894171dbbb76f5b2ba
On Thu, Jun 03, 2004 at 18:40:24 -0400, Scott Cantor wrote:
>
> > Below are some samples of an xml syntax that seems to me to
> > cover the basic requirements. Each <AccessPolicy> would be
> > associated with an application and one or more identity
> > providers in shibboleth.xml.
>
> I think access policy has to go way beyond the application level down to the
> document level. Put another way, the application is just a unit of session
> management, not an authorization boundary. This assumes static access
> control is viable at all, which is not true in my experience except for the
> case of documents. And in such a case, the policy often varies by document,
> which is why web servers enforce rules down to that level, and I think we
> have to honor that requirement if we're going say "don't use htaccess, use
> this instead".
In the third example I have different documents ("Resource"s
I called them) with different access requirements. I think
it's good to put it down this far in the hierarchy so that
there doesn't have to be a separate contract each document
in the application.
<AccessPolicy id="template-policy-cero">
<Description>Sample policy 3.</Description>
<ServiceLevel name="Basic">
<Description>Access to each e-seminar.</Description>
<!-- Perhaps have an alternative element here that points to
a directory
from which to load *.xml, each of which is a
<Resource>...</Resource>. -->
<Resource location="https://cero.columbia.edu/0201";
satisfy="any">
<Attribute
id="http://columbia.edu/shibboleth/federation/attributes/resource";
value="DKV.CI.0201" />
<Attribute
id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" value="member"
scope="columbia.edu" />
</Resource>
<Resource location="https://cero.columbia.edu/0202";
satisfy="any">
<Attribute
id="http://columbia.edu/shibboleth/federation/attributes/resource";
value="DKV.CI.0202" />
<Attribute
id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" value="member"
scope="columbia.edu" />
</Resource>
<Resource location="https://cero.columbia.edu/0203";
satisfy="any">
<Attribute
id="http://columbia.edu/shibboleth/federation/attributes/resource";
value="DKV.CI.0203" />
<Attribute
id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" value="member"
scope="columbia.edu" />
</Resource>
<!-- &c. -->
</ServiceLevel>
</AccessPolicy>
Noah
- Access Policy strawman, Noah Levitt, 06/03/2004
- RE: Access Policy strawman, Scott Cantor, 06/03/2004
- Re: Access Policy strawman, Noah Levitt, 06/03/2004
- RE: Access Policy strawman, Scott Cantor, 06/03/2004
- Re: Access Policy strawman, Noah Levitt, 06/04/2004
- RE: Access Policy strawman, Scott Cantor, 06/04/2004
- Re: Access Policy strawman, Noah Levitt, 06/04/2004
- RE: Access Policy strawman, Scott Cantor, 06/03/2004
- Re: Access Policy strawman, Noah Levitt, 06/04/2004
- RE: Access Policy strawman, Scott Cantor, 06/04/2004
- Re: Access Policy strawman, Thomas Lenggenhager, 06/07/2004
- RE: Access Policy strawman, Scott Cantor, 06/07/2004
- Re: Access Policy strawman, Thomas Lenggenhager, 06/07/2004
- RE: Access Policy strawman, Scott Cantor, 06/04/2004
- Re: Access Policy strawman, Noah Levitt, 06/03/2004
- RE: Access Policy strawman, Scott Cantor, 06/03/2004
- RE: Access Policy strawman, Scott Cantor, 06/03/2004
Archive powered by MHonArc 2.6.16.