OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] Database schema for storing XACML policies

I think the following is a sensible approach.

1. Select a portion of the Target to use as your primary key. If you are
not sure what to use, I suggest using Resource. Possibly you might
choose to use just a single attribute (e.g. Resource Name or
Classification).

2. Extract the chosen value and put it in a primary key field in a
convenient format which permits using Select statements to retrieve
potentially applicable policies.

3. Put the entire policy as a blob in another field in the same record. 

4. Use an API or stored procedure to implement adding and modifying
records, so the Primary Key value remains consistent with the rest of
the record.

5. When an access request is received use the primary key to retrieve
candidate policies. Evaluate the rest of the Target and the Conditions
of each to determine if it is applicable.

6. It may be desirable to generate other keys for management purposes,
for example: Policy ID.

This is the way we always intended Target to be used. Obviously policy
evaluation will be more efficient if Policy creation is "retrieval
strategy aware." For example, choosing what is put in the Target vs.
Conditions. This can be done by tooling or simply user conventions.

Hal

> -----Original Message-----
> From: Rajesh Koilpillai [mailto:rajesh@infravio.com]
> Sent: Friday, June 16, 2006 1:32 AM
> To: 'dhirendra sharma'; 'Argyn'
> Cc: xacml-users@lists.oasis-open.org
> Subject: RE: [xacml-users] Database schema for storing XACML policies
> 
> Hi,
> 
> You should definitely go for a more granular schema as you have
suggested
> in
> your email in order to run fine grained SQL queries to figure out
policies
> applicable for a Subject, Resource or Action. Storing it as a CLOB is
> going
> to limit your options, when you have more policies stored in your
> database.
> 
> Thanks,
> - Rajesh Koilpillai
> 
> -----Original Message-----
> From: dhirendra sharma [mailto:dhirendra_sh@yahoo.com]
> Sent: Thursday, June 15, 2006 11:29 PM
> To: Argyn
> Cc: xacml-users@lists.oasis-open.org
> Subject: Re: [xacml-users] Database schema for storing XACML policies
> 
> Hi ,
> 
> There can be potentially thousands of policies.
> How did you find applicable polcies for given request
> ?
> 
> Thanks,
> Dhirendra Sharma
> 
> --- Argyn <jawabean@gmail.com> wrote:
> 
> > I thought about storing XACML schema in Db  and gave
> > up the idea. It
> > didn't make a sense in my project. So, I had two
> > things:
> >
> > 1. stored entire policy in TEXT type of field, such
> > as CLOB
> > 2. some policies were generated from DB tables. i
> > had a table with
> > start and end time columns, then the policy was
> > generated using these
> > two columns
> >
> > thanks,
> > argyn
> >
> > On 6/15/06, dhirendra sharma
> > <dhirendra_sh@yahoo.com> wrote:
> > >   Hi All,
> > >
> > >
> > >     Can someone share their database schema for
> > > storing XACML policies ?
> > >
> > >     We are planning to store the XACML policies in
> > > Oracle 9i database.
> > >     Write a DatabasePolicyModule and based on
> > Subject,
> > > Resource,Action and optionally Environment from
> > the
> > > incoming Request
> > >     build a database SQL query and find out all
> > the
> > > applicable policies.
> > >
> > >
> > >
> > >
> > >     I have defined a simple table called - POLICY
> > with
> > > columns as follows :
> > >         ---------------------------------------
> > >             TARGET_ID    VARCHAR2(20),
> > >             SUBJECT      VARCHAR2(1000),
> > >             RESOURCE_ID  VARCHAR2(1000),
> > >             ACTION       VARCHAR2(1000),
> > >             POLICY       VARCHAR2(4000)
> > >         ---------------------------------------
> > >
> > >     Using values of subject, resource and action
> > from
> > > the request input, I build a SQL query and find
> > out
> > > matching policies.
> > >
> > >     I have following 2 questions.
> > >
> > >     1). Is above table and column idea good design
> > for
> > > policy storage perspective or i am missing
> > something ?
> > >
> > >     2). Where should add this call to the database
> > for
> > > find applicable policies in the code ?
> > >
> > >     Thanks,
> > >     Dhirendra Sharma
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > This publicly archived list supports open
> > discussion on using the
> > > XACML OASIS Standard. To minimize spam in the
> > archives, you
> > > must subscribe before posting.
> > >
> > > [Un]Subscribe/change address:
> > http://www.oasis-open.org/mlmanage/
> > > Alternately, using email:
> > list-[un]subscribe@lists.oasis-open.org
> > > List archives:
> > http://lists.oasis-open.org/archives/xacml-users/
> > > Committee homepage:
> > http://www.oasis-open.org/committees/xacml/
> > > List Guidelines:
> > http://www.oasis-open.org/maillists/guidelines.php
> > > Join OASIS: http://www.oasis-open.org/join/
> > >
> > >
> >
> >
> ---------------------------------------------------------------------
> > This publicly archived list supports open discussion
> > on using the
> > XACML OASIS Standard. To minimize spam in the
> > archives, you
> > must subscribe before posting.
> >
> > [Un]Subscribe/change address:
> > http://www.oasis-open.org/mlmanage/
> > Alternately, using email:
> > list-[un]subscribe@lists.oasis-open.org
> > List archives:
> > http://lists.oasis-open.org/archives/xacml-users/
> > Committee homepage:
> > http://www.oasis-open.org/committees/xacml/
> > List Guidelines:
> > http://www.oasis-open.org/maillists/guidelines.php
> > Join OASIS: http://www.oasis-open.org/join/
> >
> >
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the
> XACML OASIS Standard. To minimize spam in the archives, you
> must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/
> 
> 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the
> XACML OASIS Standard. To minimize spam in the archives, you
> must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]