OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: The use of XPath for declaring relationships in XACML policies


Hello everybody,

As a PhD researcher in access control, I'm looking into XACML. What interests me most is how the necessary information for making access control decisions is handled/retrieved. This leads me to some questions about the third rule in the second example of the XACML 2.0 specification (section 4.2.4.3).

In this example, a relationship between multiple application entities is used: a patient record belongs to a patient, who has a primary care physician. When asking for access, the subject is tested to be the primary care physician of the patient to whom the patient record belongs. This is handled by line [a452]-[a453] in the rule, an attribute selector with an XPath.

A first question here is the exact meaning of an attribute selector: the definition of this element (section 5.42) specifies "the context node is the <xacml-context:Request> element". My first interpretation of this description is that an attribute selector is used to select parts of the request, for example the <ResourceContent> element, which is confirmed by this blog post: http://www.webfarmr.eu/2011/08/xacml-102-xpath-and-xacml/. However, the example request (section 4.2.2) does not send along the primary care physician element of the patient record in its resource content, so resolving this XPath should actually be done by accessing the resource in the PDP, correct? Or does the evaluation of this policy just fail for the example request?

A second, more general question is whether XPath and attribute selectors are the only or best way to declare/traverse relationships in policies. What if, for example, the records are stored in a SQL database, not in XML. Should the XPath be translated to the appropriate queries by the PDP? Or is this incorrect use of XPath? Another option that comes to mind is using AttributeDesignator and specify an attribute like "PrimaryCarePhysicianOfPatientRecord" and let the PDP evalute this dynamically. This however would be the start of an explosion of attributes representing relationships and would transfer policy logic to PDP code, which is the exact opposite of what XACML stands for, no?

I just started exploring XACML and maybe listed some incomplete or confusing thoughts in this mail. I think my general question is how to best declare relationships over application entities in XACML policies.

It would be great to hear your opinions about this.

Kind regards,

Maarten Decat
IBBT-DistriNet research group - KU Leuven - Belgium

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]