[rsbac] About ACCESS_CONTROL and SUPERVISOR rights

Javier J. Martínez Cabezón tazok.id0 at gmail.com
Mon Jan 12 15:42:59 CET 2009


Thanks for your answers Amon. I think this part of the handbook that
explains the rc model is a bit confuse:

– ACCESS_CONTROL: Change normal (old) access rights to this type for
your administrated roles
– SUPERVISOR: Change these new special rights to this type for your
administrated roles.

Can  it be substitute by: ACCESS_CONTROL: Change none-security related
rsbac access rights to this type for your administrated roles.
-SUPERVISOR: Permits add or remove security rsbac related rights to
this type for your administrated roles.

At first I though MODIFY_PERMISSIONS_DATA and ACCESS_CONTROL were
redundant I was wrong seems.
2009/1/12 Amon Ott <ao en rsbac.org>:
> Am Sünnavend 10 Januor 2009 schrieb Javier J. Martínez Cabezón:
>> If I have one rol named gerency_r that admin the roles Technician_r,
>> nurses_r and Doctor_r, Technician_r has write_only rights to
>> patient_data_t type, Doctor_r has read-write access granted to it and
>> nurses_r only read-only.
>>  If secoff grants ACCESS_CONTROL right to patient_data to rol
>> gerency_r then gerency_r could add or remove standard DAC rights
>> access to all data from this type involving this three roles isn't it?
>
> ACCESS_CONTROL is for granting normal RSBAC rights.
>
> DAC rights would be MODIFY_PERMISSIONS_DATA and CHANGE_OWNER.
>
>>  If secoff grants SUPERVISOR right to patient_data type to rol
>> gerency_r then gerency_r could add or remove any RSBAC rights access
>> to this type involving this three roles. Is this correct?
>
> SUPERVISOR allows to set or revoke the RC special rights like ACCESS_CONTROL
> or SUPERVISOR itself.
>
> Amon.
> --
> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
>


More information about the rsbac mailing list