OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Entitlements and PDP vs PEP Separation


Title: Entitlements and PDP vs PEP Separation

I wanted to comment on the discussion during the last TC regarding entitlements and this issue:
>decision point evaluates policy and makes a decision, and an enforcement
>point applies the decision.

In real world applications, the separation is not so cut and tried. Consider this policy:
"Analysts can view research reports if the report is in their geographical territory and they report represents an industry the analyst covers."

In this example, Joe, the user, is an analyst that covers the Oil Industry in the United States. How do you enforce this policy if the user is requesting a list of research reports he can view? If the PDP evaluates policy and the PEP enforces the yes/no decision, you might have to iterate through a database of thousands (or possibly millions) of reports and check with the PDP for each one to decide if the user can access it. This can be a very time consuming and inefficient process.

On the otherhand, what if the PDP, instead of returning yes/no, returned this:
PEP -> Can Joe view research reports?
PDP -> Yes, Joe can view research reports that meet these criteria: industry=Oil, region=US
The criteria could then be passed to a database query (or something else) to retrieve the correct reports. The decision has been made by the PDP but enforcing requires more than just granting or denying an action.

Any solution that attempts to address entitlements needs to support this type of scenario.

Ken Yagen
Director, Software Development
CrossLogix, Inc.
http://www.crosslogix.com




-----Original Message-----
From: Eve L. Maler [mailto:eve.maler@east.sun.com]
Sent: Friday, March 23, 2001 12:38 PM
To: security-services@lists.oasis-open.org
Subject: RE: The Hal/David model


And to follow up on one of Darren's points and bring things around to our
most recent TC discussion...

At 11:46 AM 3/23/01 -0800, Darren Platt wrote:
>...
>I believe a statement such as such as "user 'noddles' is granted 'execute'
>on '/usr/bin/guitar'" is a statement of policy.  This statement is not that
>different from "users who are 6 feet tall are granted 'execute' on
>'/usr/bin/guitar'" or "users who have the role 'musician' are granted
>'execute' on '/usr/bin/guitar'".  These latter two are clearly require a
>'decision' to enforce and are therefore the input of the policy decision
>point.  I therefore don't think that this is something a PDP would pass to a
>PEP, rather something a PDP might pass to another PDP.  By their names, PDPs
>and PEPs seem to me to be abstractions based on their functionality - so a
>decision point evaluates policy and makes a decision, and an enforcement
>point applies the decision.

So, to simplify the logical perspective even more:

decision PDP(policies, attributes)
permission PEP(decision)

?

         Eve
--
Eve Maler                                             +1 781 442 3190
Sun Microsystems XML Technology Development  eve.maler @ east.sun.com


------------------------------------------------------------------
To unsubscribe from this elist send a message with the single word
"unsubscribe" in the body to: security-services-request@lists.oasis-open.org



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC