turt2live
commented
12 months ago Related questions include how to communicate the policy to servers/users. This could be an IANA registry to contain descriptors for policy as a whole.
Open turt2live opened 12 months ago
turt2live
commented
12 months ago Related questions include how to communicate the policy to servers/users. This could be an IANA registry to contain descriptors for policy as a whole.
rohanmahy
commented
3 months ago presented at IETF120 on draft-mahy-mimi-room-policy as a strawperson policy concept.
Noted that ABAC (Attribute-based access control) was not universally understood and it was unclear if what I proposed is role-based or attribute-based. There are not fixed roles, but it could still be described as role-based by some reasonable definition.
turt2live
commented
3 months ago fwiw, at the meeting I was mostly using the Wikipedia article on ABAC to compare it to RBAC. Wikipedia is far from the definition authority here, but doesn't make any effort to distinguish RBAC as needing fixed or dynamic roles to qualify, indicating that at least the general population wouldn't make that distinction.
I think both ABAC and RBAC are probably fine approaches, though we should decide on what the policy actually needs to cover before trying to fit a structure onto it. We may find that as we work through what actually needs enforcing, those permissions do (or don't) require significant structure like dynamic roles.
or tldr: I think we should write out what we feel needs to be permissible before deciding on a access control approaches.
rohanmahy
commented
3 months ago Thanks Travis. Maybe we can try to go over the user cases during one of the upcoming interims?
turt2live
commented
3 months ago that would be great! Let's do it.
Incorporate mahy-group-chat and ralston-policy documents, deduplicate ideas.