Policy summary
The top level X.509 PMI RBAC Policy (PERMIS Policy) is composed of a number
of sub-policies and they are briefly presented bellow.
SubjectPolicy
The SubjectPolicy specifies the domains of users who may be granted roles
within the overall PMI policy and each domain is specified as an LDAP subtree.
In the testing policy, we have the following subject domains:
Domain ID="student" with LDAPDN="ou=student,o=permisv5,c=gb" including LDAPDN="cn=dis,ou=admin,o=permisv5,c=gb"
excluding LDAPDN="cn=student5,ou=student,o=permisv5,c=gb"
Domain ID="staff" with LDAPDN="ou=staff,o=permisv5,c=gb" including LDAPDN="cn=dis,ou=admin,o=permisv5,c=gb"
Domain ID="admin" with LDAPDN="ou=admin,o=permisv5,c=gb"
RoleHierarchyPolicy
The RoleHierarchyPolicy defines the role hierarchies that are supported
by a specific RBAC policy. Each role hierarchy is specified as a set of
Superior-Subordinates attribute values. Each superior role can have multiple
subordinate roles, and each subordinate role may also be a superior.
In the testing policy, we have the following role hierarchies:
SOAPolicy
The SOAPolicy lists the LDAPDNs of the SOAs that are trusted to issue
roles to the subjects specified in the subject policy.
SOA with ID="SOA" LDAPDN="cn=SOA, ou=admin, o=permisv5,c=GB"
RoleAssignmentPolicy
The RoleAssignmentPolicy specifies which roles can be assigned to which
subjects by which SOAs. For each role assignment, we also specify whether
the assigned roles can be delegated or not and whether there are any time
constraints on the assignment. Following is the brief review of
the RoleAssignmentPolicy in our testing policy.
SOA is trusted to issue:
- role "Student" to subjects in "student"
domain (LDAPDN="ou=student,o=permisv5,c=gb") with validity time from 2009-04-01 to 2019-04-01
- roles "Staff", "Reasearcher" and
"Professor" to subjects in "staff" domain
(LDAPDN="ou=staff,o=permisv5,c=gb") with validity time from 2009-02-01 to 2015-02-01
- role "Admin" to subjects in "admin" domain
(LDAPDN="ou=admin,o=permisv5,c=gb") with validity time from 2009-01-01 to 2013-01-01
SOA has unlimeted delegation depth in the testing policy.