-
Key: DDSSEC_-73
-
Status: closed
-
Source: Twin Oaks Computing, Inc. ( Mr. Clark Tucker)
-
Summary:
The DomainParticipant Permissions document does not specifically indicate if we are allowed to create a participant in a domain. It indicates which topics are allowed/denied to publish/subscribe/relay. What specifically determines whether we are or are not allowed to create a participant?
Is it simply the presence of a matching 'subject_name' entry?
-
Reported: DDS-Security 1.0b1 — Tue, 17 Nov 2015 13:59 GMT
-
Disposition: Resolved — DDS-Security 1.0
-
Disposition Summary:
Modify Table 40 adding detail on the conditions for the access control operations to succeed based on the governance and permissions documents
Add more detailed information to Table 40 (Actions undertaken by the operations of the bulitin AccessControl plugin) in Section 9.4.3.
Describe the precise behavior of the access-control operations for the built-in access control plugin based on the Governance and Permissions documents. Specifically the following aspects should be covered:
- Impact of the existence of Topics in the Governance document that have enable_read_access_control or enable_write_access_control set to FALSE
- Impact of the Publisher/Subscriber partition
- Impact of DataReader/DataWriter Tags
The description of the following operations in Table 40 should be updated with to include the behavior under the aforementioned circumstances:
check_create_participant, check_create_datawriter, check_create_datareader, check_create_topic, check_local_datawriter_register_instance, check_local_datawriter_dispose_instance, check_remote_participant, check_remote_datawriter, check_remote_datareader, check_remote_topic -
Updated: Tue, 12 Jul 2016 14:45 GMT
DDSSEC_ — How to determine if creating a DomainParticipant is allowed
- Key: DDSSEC_-73
- OMG Task Force: DDS Security 1.0 FTF 2