[rsbac] Resources and Enhanced Role Compatibility
Jörg Lübbert
rsbac@rsbac.org
Mon Oct 28 14:38:01 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Amon Ott schrieb:
> RC deliberately has single roles for subjects only. This avoids all the=
> problems with mutual exclusive roles for separation of duty (including =
> uncontrolled flow of information) and keeps the model simpler.
I don't see why two roles could exclude each other if they would only
add their rights to each other? If the negative role compatibility was
introduced then this might become a problem, but having negative role
compatibility would only be the second step I'd go. I personally am fine
if there were multiple roles adding their rights to a main role.
> My paper for the NordSec conference next week discusses this in a compa=
rison
> to RBAC and DTE models. It will be published on rsbac.org after the
> conference. I already got people saying that RC model is too complex, s=
o I
> will be very slow in adding more options.
What would you think about adding a completely new module called ERBAC
which is based on the RC module? This way the powerful RC module stays
the way it is without becoming more complex and the other module can
become even more complex and even more fine grained than RC currently
is? One could add my idea of negative/positive role comp there + the
idea about inherited rights to types.
I'm looking forward to read your paper :)
> Again, it would make the model even more complex. Are you thinking of a=
type
> hierarchy, where rights to master types are inherited to subtypes as we=
ll?
I wasn't thinking that complicated in that case. Your idea btw sounds
pretty good (would be something for ERBAC?), but just like my idea very
hard to implement (and understand). I was just thinking of groups in
rsbac_menu so that administration and searching through the various
types becomes more easy (one could maybe do the same for the roles, too).
- - Jörg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE9vStV4+zGoVB1iK8RAqoAAKDQCr7QDhJgR/wIpisrl2DSzAM6hgCfSmMn
jrg2ajGOXqd4GrluebKkRB8=2dHb
-----END PGP SIGNATURE-----