I'm going trough Bob Blakley's and Carol's proposals. They both, as far as I
understand, use the following control flow:
1. Obtain all privileges and effective rights -- dynamic and not dynamic
(although, correctly speaking, all privileges are dynamic, including those that
a principal receives after authentication).
2. Obtain required rights
3. Try to match required rights and effective rights. Authorize if the match is
successful and deny authorization otherwise.
Required rights come as a sequence with a combinator, which determines if all
or any required rights are required to be matched against effective rights.
Now the issue:
Taking into account that the authorization rule language in HRAC is expected,
at list by me, to be more rich in its expressiveness than the one provided by
CORBA security access model, I contend that just simple expression of required
rights (such as "A or B or C or D" or "A and B and C and D") would not suffice.
I believe that more complex expressions should be allowed.
Proposal to resolve the issue:
replace Bob's IDL code:
interface HRACRequiredRights
{
void get_required_rights(
in Resource resource,
in CORBA::Identifier operation_name,
out Security::RightsList rights,
out Security::RightsCombinator rights_combinator
);
}
with the following:
struct RightsExpression {
RightsList rights;
sequence<RightsExpression> children;
RightsCombinator combinator;
};
interface HRACRequiredRights
{
void get_required_rights(
in Resource resource,
in CORBA::Identifier operation_name,
out RightsExpression rights
);
}
The proposed change would allow to construct required rights expressions where
"and" and "or" can be combined.
The attached picture shows an example of a tree that the proposed change would
allow to construct.
What do you Bob and others think?
Konstantin
RightsExpressionIllustration.gif