User Guide: Features
This page gives a quick overview of the currently implemented and missing features that could
be expressed with a Permis authorization policy.
Features
Name |
Description |
PDP |
Editor |
Resources |
An resource is what should be protected by authorization. |
|
|
Actions |
An action is what a subject wants to execute on a resource, including a list of
parameter types. |
|
|
Targets |
A target combines a resource or a set of resources to be protected with a set of actions
that are possible on these resources. |
|
|
Resource Domains |
A resource domain combines a set of resources. |
|
|
Subject Domains |
A subject domain combines a set of subjects. |
|
|
Roles (RBAC 0) |
A role assigns the holder a set of authorized privileges. |
|
|
Role Hierarchies (RBAC 1) |
A superior role gets all privileges of a subordinate role. |
|
|
Target Access Rules |
A target access rule defines a set of roles that are allowed to access a target. |
|
|
Conditions for Target Access Rules |
Conditions are additional constraints that must be true for a target access rule. E. g.
access is only granted between 9am and 11am. |
|
|
Role Assignment Rules |
A role assignment rule defines which subjects are allowed to assign which roles, and if
a subject can delegate an assigned role. |
|
|
Obligations |
An obligation is an operation specified in a policy that should be performed by the PEP
Policy Enforcement Point in conjunction with the enforcement of an authorization decision
|
|
|
Static Separation of Duties (SoD) |
Define mutually exclusive roles. |
|
|
Dynamic Separation of Duties (DSoD) |
Define mutually exclusive roles in the context of a dynamic session. |
|
|