abac

问题 We are using WSO2 Identity Server 5.1.0 . We have a location hierarchy like Plant1->Area1->unit1. Now if a user is having attribute for the Plant1, he should get access to unit1 as well (all children of the parent in a tree). Can we specify this in XACML? We have the hierarchy stored in DB. We can provide the list of hierarchical elements as a list of attributes also if so required. Problem explained in sample : A user bob has been given access to area2 as shown below : Plant1 |--Area1 |-

问题 I have a C# .net application which servers both company's internal users and external customers. I need to do fine-grained authorization like who accesses what resource. So I need something like resource-based or attribute-based rather than a role-based authorization. What comes to my mind is to either: Implement my own authorization mechanism and sql tables for my .net application Use/implement a standard mechanism, like a software that has implemented XACML (for instance Axiomatics) The

问题 I've deployed an application based on Fiware generic enablers, in Docker. The versions are: Orion 1.14 Cygnus 1.9.0 Authzforce 5.4.1 Keyrock: the latest Pep-proxy: 7.0.1 but, when I want to create a permission in keyrock I can't find a specific syntax or character sequence to enter a dynamic resource in the resource field like: /resource1/<user>/info , or to specify only the resource prefix like: /resource2/<whatever> . Really exists the syntax for the dynamic resource and authzforce can

问题 I’m looking for an example or best practices for a RBAC system with two parameters. Rather than simply having a user associated with a role, and that role associated with a group of permissions; a user can be associated with a role “for a specific project,” and the user can then have the permissions of that role for that project only (or for other projects that the user holds that role for). A user can have a specific role on one project, and a different role on another project; the

问题 I am trying out Attribute based access control using GoLang and facing an issue in getting the attribute in the chaincode. I'm using cid.GetAttributeValue() function and the function returns nothing. It prints blank and the found variable is set to false. The things I have done are: Registered a user defined attribute named "firstName" with value "*" to the admin. (Also tried setting it to a specific value) Enrolled that admin to the network Registered and enrolled the user with the same

问题 Let's say I have a collection transactions and a policy that grants read access to a transaction within that collection for users with the role user , if the user's department is the same as the on of the record. The Problem: If I access single resources I have no problem checking access per resource. But if I want to enumerate/ list the whole collection I would need to check each and every item in the collection which is not efficient (especially if you amount of entries is "high"). It would

问题 We are using WSO2 IS as the Identity Bus for our solutions. We make REST API in WSO2 ESB to implement our Integration and use OAuth mediator in that to securing our API. in WSO2 IS we create a service provider as sp1 and apply XACML policy to that. I want to create XACML policy to permit incoming requests just when client_ip is xxx.xxx.xxx.xxx and request URI is http://wso2ESB.uri/sampleApi/app and method is GET . please help me to make this XACML policy in WSO2 IS. 回答1: Currently WSO2

问题 I am getting " Policy uploading failed. Invalid Entitlement Policy. Policy is not valid according to XACML schema " message, whenever i am uploading policy in WSO2 identity server. I have wso2is-5.1.0 version. I got this XACML policy from this WSO2 tutorial. The XACML policy is: <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Entitlement_Filter_Sample_Policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">

问题 I have a brand new Rails api based application, where i need to implement authorization. Overall Architecture: React frontend -> Rails API layer -> Rails model/server layer While exploring different approaches, I have got a confusion. Should we put the authorization logic in API layer or Service layer? API Layer Approach: We will build some authorization middleware that will sit between our front end and API layer and all our api calls will be routed thorough the authorization middleware to

问题 How does an access control mechanism (e.g., RBAC or ABAC) protect resources? I know how access control mechanisms such as RBAC, ABAC and so on work. In other words, I know how the access control engine evaluates requests and makes decisions (permit, deny, etc.). But, I do not know how they protect the resources. I mean, how does, for example, ABAC enforce a Deny decision? Are the resources encrypted? Or are they stored in a secure database? 回答1: RBAC and ABAC work in different ways to achieve