OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-comment] Question on 'SAML 2.0 profile of XACML v2.0'

I am sorry, I was confused. I was thinking you were using the Decision Query.

I see now you are using the policy query. I agree that it is broken. Here is the history and where things stand.

The original idea I had was a PDP with storage too limited to hold all the policies. (Either because it had a small memory or because the number of policies is large.)

What I intended was for the policy repository to evaluate the target or part of the target and return a small number of policies that potentially applied. I thought this could be done using a simple indexing scheme without having to have an XACML engine.  Then the PDP would do a compete evaluation of the subset and return the result as usual.

Originally we specified a Target as a possible input, but somebody pointed out it is impossible to match targets. So the way it is now you can provide a request Context and the repository will do "some" processing and return some subset.

The only interest in this protocol had been from people who want a standard to distribute (provision) all policies or all policies for a particular PDP. I have pointed out that this protocol is not suitable for this purpose. I am currently working on a protocol (two actually) to distribute policies.

If you are interested in using the policy query, I encourage you to submit requirements and usecases.  Perhaps we can fix it.

Hal

> -----Original Message-----
> From: Rüdiger Gartmann [mailto:R.Gartmann@conterra.de]
> Sent: Tuesday, February 26, 2008 9:50 AM
> To: xacml-comment@lists.oasis-open.org
> Subject: [xacml-comment] Question on 'SAML 2.0 profile of XACML v2.0'
> 
> Dear XACML experts,
> 
> we are about to implement the 'SAML 2.0 profile of XACML v2.0' in order to
> express licenses which contain access rights to certain services
> (currently using XACML 1.1). We store those licenses in a license manager
> which implements an XACMLPolicyQuery interface.
> 
> For querying this service for administration purposes we need a support
> for wildcards. For searching for certain subjects, for instance, the
> schema xacml-1.1-profile-saml2.0-v2-schema-protocol-wd-5.xsd allows the
> following query:
> 
> <xacml-context:Subject>
>   <xacml-context:Attribute
> DataType="http://www.w3.org/2001/XMLSchema#string";
> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
>     <xacml-context:AttributeValue>Alice</xacml-context:AttributeValue>
>   </xacml-context:Attribute>
> </xacml-context:Subject>
> 
> (This is similar for ressources and actions.)
> 
> For us this leads to two problems:
> 
> 1. The query schema requires all three, a subject (at least one), a
> ressource and an action. If we want to query all licenses containing
> policies for a certain action on a certain ressource (no matter of the
> subject) we would need something like an 'AnySubject', which is not
> allowed by the schema.
> 
> 2. In contrast to the policy schema in the query schema there is no a
> MatchID. So for querying we can only use exact matches and no 'like'
> operators or something like that. (In fact, this point is less important
> than the first one.)
> 
> Does anybody know a solution for this? Or at least any hint how to solve
> this issue? Or is my approach completely wrong?
> 
> Best regards,
> Rüdiger
> --
> Dipl.-Wirt.Inform. Rüdiger Gartmann
> 
> con terra
> Gesellschaft für Angewandte Informationstechnologie mbH
> Martin-Luther-King-Weg 24
> D-48155 Münster, Germany
> 
> Geschäftsführer: Dr. Albert Remke
> Amtsgericht Münster HRB 4149
> 
> Tel: +49 251 / 7474 - 301
> Fax: +49 251 / 7474 - 100
> 
> E-Mail: R.Gartmann@conterra.de
> http://www.conterra.de
> 
> 
> --
> This publicly archived list offers a means to provide input to the
> OASIS eXtensible Access Control Markup Language (XACML) TC.
> 
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
> 
> Subscribe: xacml-comment-subscribe@lists.oasis-open.org
> Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org
> List help: xacml-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/xacml-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: http://www.oasis-
> open.org/committees/tc_home.php?wg_abbrev=xacml

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]