[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-comment] Question on 'SAML 2.0 profile of XACML v2.0'
I am sorry, I was confused. I was thinking you were using the Decision Query. I see now you are using the policy query. I agree that it is broken. Here is the history and where things stand. The original idea I had was a PDP with storage too limited to hold all the policies. (Either because it had a small memory or because the number of policies is large.) What I intended was for the policy repository to evaluate the target or part of the target and return a small number of policies that potentially applied. I thought this could be done using a simple indexing scheme without having to have an XACML engine. Then the PDP would do a compete evaluation of the subset and return the result as usual. Originally we specified a Target as a possible input, but somebody pointed out it is impossible to match targets. So the way it is now you can provide a request Context and the repository will do "some" processing and return some subset. The only interest in this protocol had been from people who want a standard to distribute (provision) all policies or all policies for a particular PDP. I have pointed out that this protocol is not suitable for this purpose. I am currently working on a protocol (two actually) to distribute policies. If you are interested in using the policy query, I encourage you to submit requirements and usecases. Perhaps we can fix it. Hal > -----Original Message----- > From: Rüdiger Gartmann [mailto:R.Gartmann@conterra.de] > Sent: Tuesday, February 26, 2008 9:50 AM > To: xacml-comment@lists.oasis-open.org > Subject: [xacml-comment] Question on 'SAML 2.0 profile of XACML v2.0' > > Dear XACML experts, > > we are about to implement the 'SAML 2.0 profile of XACML v2.0' in order to > express licenses which contain access rights to certain services > (currently using XACML 1.1). We store those licenses in a license manager > which implements an XACMLPolicyQuery interface. > > For querying this service for administration purposes we need a support > for wildcards. For searching for certain subjects, for instance, the > schema xacml-1.1-profile-saml2.0-v2-schema-protocol-wd-5.xsd allows the > following query: > > <xacml-context:Subject> > <xacml-context:Attribute > DataType="http://www.w3.org/2001/XMLSchema#string" > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"> > <xacml-context:AttributeValue>Alice</xacml-context:AttributeValue> > </xacml-context:Attribute> > </xacml-context:Subject> > > (This is similar for ressources and actions.) > > For us this leads to two problems: > > 1. The query schema requires all three, a subject (at least one), a > ressource and an action. If we want to query all licenses containing > policies for a certain action on a certain ressource (no matter of the > subject) we would need something like an 'AnySubject', which is not > allowed by the schema. > > 2. In contrast to the policy schema in the query schema there is no a > MatchID. So for querying we can only use exact matches and no 'like' > operators or something like that. (In fact, this point is less important > than the first one.) > > Does anybody know a solution for this? Or at least any hint how to solve > this issue? Or is my approach completely wrong? > > Best regards, > Rüdiger > -- > Dipl.-Wirt.Inform. Rüdiger Gartmann > > con terra > Gesellschaft für Angewandte Informationstechnologie mbH > Martin-Luther-King-Weg 24 > D-48155 Münster, Germany > > Geschäftsführer: Dr. Albert Remke > Amtsgericht Münster HRB 4149 > > Tel: +49 251 / 7474 - 301 > Fax: +49 251 / 7474 - 100 > > E-Mail: R.Gartmann@conterra.de > http://www.conterra.de > > > -- > This publicly archived list offers a means to provide input to the > OASIS eXtensible Access Control Markup Language (XACML) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: xacml-comment-subscribe@lists.oasis-open.org > Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org > List help: xacml-comment-help@lists.oasis-open.org > List archive: http://lists.oasis-open.org/archives/xacml-comment/ > Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Committee: http://www.oasis- > open.org/committees/tc_home.php?wg_abbrev=xacml
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]