Bob Blakley wrote: > >I would propose (lowest--least specific) group, role, ip-address?, access-id > (highest--most specific). > > For reasons explained in my earlier note, I consider group to be more specific > than role. So my partial order goes: > > (lowest--least specific) role, group, access-id (highest--most specific). > > My personal feeling is that ip-address is completely useless as a subject > field and shouldn't be allowed as > a privilege attribute at all Can time based ( like timeofday and dayofWeek) or authentication strength can be considered as privilege attributes. I think it should be. It will be very hard to get a exact precedence rule once we throw in new privilege attributes. Should we think of "precedence category". Thanks /prasanta
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature