Summary: This page compares key terms used in the XACML Domain model and the Signet project. The material within is intended to be used as a discussion starter for the Signet-dev/MACE-paccman work group to establish common language/terminology around Access Managment discussions.
As of May 2012, this page is also being used as helpful XACML reference for the project of modeling selected use cases using XACML terms.
(XACML Data Flow Model diagram, p. 17, [XACML].)
XACML |
Signet |
Comment |
---|---|---|
Subject |
Subject |
In XACML, the concept of "Group A can do x." is expressed as "An individual who is a member of group A can do x", "An individual with role A can do x." |
Resource |
Resource |
There isn't an explicit definition of "resource" in Signet documentation, but the term appears to be used in a way consistent with XACML's definition. |
Action |
Action |
There isn't an explicit definition of "resource" in Signet documentation, but the term appears to be used in a way consistent with XACML's definition. |
Condition |
Limit |
|
Rule |
Permission |
In XACML, a target is a set of resource, subject and action. Roughly translated, a rule is a statment of "<subject> is <Permitted/Denied> access to perform <action> on <resource> when <condition> is met". Note: a condition here may be "actor is a member of group X". |
Authorization decision |
Entitlement |
In XACML, an authorization decision is the resulting return value of evaluating a set of applicable policies. It basically is "Permit", "Deny", "Inderterminate", or "NotApplicable". If entitlement is used in the context of "asserting an entitlement value means the person is permitted to access a pre-determined, implied set of resources, then the presence of absence of particular entitlement value could be interpreted as an authorization decision. |
Policy, Policy Set |
Privileges |
They are not equivalent, but close... |
? |
Function |
|
[XACML] XACML 2.0 Core Specification
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
[Signet] Signet Concepts, Glossary, Features
https://wiki.internet2.edu/confluence/x/HRI
[Powerpoint] "Managing Roles and Privileges with Grouper and Signet Middleware"
http://www.internet2.edu/presentations/spring06/20060426-groupersignet-mcrae.ppt
[Diagram] "Integration Technologies for Grouper & Signet" Diagram
https://wiki.internet2.edu/confluence/download/attachments/3760/integration-02-sml.jpg