OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-users] Database schema for storing XACML policies


Hi Hal,

Some of your suggestions matches exactly what i am
planning to do.However, I do not have a complete
picture yet. I will share once i have a complete
picture.

Thanks,
Dhirendra Sharm


Subject: RE: [xacml-users] Database schema for storing
XACML policies

From: "Hal Lockhart" <hlockhar@bea.com> 
To: "Rajesh Koilpillai" <rajesh@infravio.com>,
"dhirendra sharma" <dhirendra_sh@yahoo.com>, "Argyn"
<jawabean@gmail.com> 
Date: Thu, 22 Jun 2006 06:59:18 -0700 

--------------------------------------------------------------------------------

I think the following is a sensible approach.

1. Select a portion of the Target to use as your
primary key. If you are
not sure what to use, I suggest using Resource.
Possibly you might
choose to use just a single attribute (e.g. Resource
Name or
Classification).

2. Extract the chosen value and put it in a primary
key field in a
convenient format which permits using Select
statements to retrieve
potentially applicable policies.

3. Put the entire policy as a blob in another field in
the same record. 

4. Use an API or stored procedure to implement adding
and modifying
records, so the Primary Key value remains consistent
with the rest of
the record.

5. When an access request is received use the primary
key to retrieve
candidate policies. Evaluate the rest of the Target
and the Conditions
of each to determine if it is applicable.

6. It may be desirable to generate other keys for
management purposes,
for example: Policy ID.

This is the way we always intended Target to be used.
Obviously policy
evaluation will be more efficient if Policy creation
is "retrieval
strategy aware." For example, choosing what is put in
the Target vs.
Conditions. This can be done by tooling or simply user
conventions.

Hal

> -----Original Message-----
> From: Rajesh Koilpillai [mailto:rajesh@infravio.com]
> Sent: Friday, June 16, 2006 1:32 AM
> To: 'dhirendra sharma'; 'Argyn'
> Cc: xacml-users@lists.oasis-open.org
> Subject: RE: [xacml-users] Database schema for
storing XACML policies
> 
> Hi,
> 
> You should definitely go for a more granular schema
as you have
suggested
> in
> your email in order to run fine grained SQL queries
to figure out
policies
> applicable for a Subject, Resource or Action.
Storing it as a CLOB is
> going
> to limit your options, when you have more policies
stored in your
> database.
> 
> Thanks,
> - Rajesh Koilpillai
> 
> -----Original Message-----
> From: dhirendra sharma
[mailto:dhirendra_sh@yahoo.com]
> Sent: Thursday, June 15, 2006 11:29 PM
> To: Argyn
> Cc: xacml-users@lists.oasis-open.org
> Subject: Re: [xacml-users] Database schema for
storing XACML policies
> 
> Hi ,
> 
> There can be potentially thousands of policies.
> How did you find applicable polcies for given
request
> ?
> 
> Thanks,
> Dhirendra Sharma
> 
> --- Argyn <jawabean@gmail.com> wrote:
> 
> > I thought about storing XACML schema in Db  and
gave
> > up the idea. It
> > didn't make a sense in my project. So, I had two
> > things:
> >
> > 1. stored entire policy in TEXT type of field,
such
> > as CLOB
> > 2. some policies were generated from DB tables. i
> > had a table with
> > start and end time columns, then the policy was
> > generated using these
> > two columns
> >
> > thanks,
> > argyn
> >
> > On 6/15/06, dhirendra sharma
> > <dhirendra_sh@yahoo.com> wrote:
> > >   Hi All,
> > >
> > >
> > >     Can someone share their database schema for
> > > storing XACML policies ?
> > >
> > >     We are planning to store the XACML policies
in
> > > Oracle 9i database.
> > >     Write a DatabasePolicyModule and based on
> > Subject,
> > > Resource,Action and optionally Environment from
> > the
> > > incoming Request
> > >     build a database SQL query and find out all
> > the
> > > applicable policies.
> > >
> > >
> > >
> > >
> > >     I have defined a simple table called -
POLICY
> > with
> > > columns as follows :
> > >         ---------------------------------------
> > >             TARGET_ID    VARCHAR2(20),
> > >             SUBJECT      VARCHAR2(1000),
> > >             RESOURCE_ID  VARCHAR2(1000),
> > >             ACTION       VARCHAR2(1000),
> > >             POLICY       VARCHAR2(4000)
> > >         ---------------------------------------
> > >
> > >     Using values of subject, resource and action
> > from
> > > the request input, I build a SQL query and find
> > out
> > > matching policies.
> > >
> > >     I have following 2 questions.
> > >
> > >     1). Is above table and column idea good
design
> > for
> > > policy storage perspective or i am missing
> > something ?
> > >
> > >     2). Where should add this call to the
database
> > for
> > > find applicable policies in the code ?
> > >
> > >     Thanks,
> > >     Dhirendra Sharma
> > >
> > >
__________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > >
> > >
> >
>
---------------------------------------------------------------------
> > > This publicly archived list supports open
> > discussion on using the
> > > XACML OASIS Standard. To minimize spam in the
> > archives, you
> > > must subscribe before posting.
> > >
> > > [Un]Subscribe/change address:
> > http://www.oasis-open.org/mlmanage/
> > > Alternately, using email:
> > list-[un]subscribe@lists.oasis-open.org
> > > List archives:
> > http://lists.oasis-open.org/archives/xacml-users/
> > > Committee homepage:
> > http://www.oasis-open.org/committees/xacml/
> > > List Guidelines:
> > http://www.oasis-open.org/maillists/guidelines.php
> > > Join OASIS: http://www.oasis-open.org/join/
> > >
> > >
> >
> >
>
---------------------------------------------------------------------
> > This publicly archived list supports open
discussion
> > on using the
> > XACML OASIS Standard. To minimize spam in the
> > archives, you
> > must subscribe before posting.
> >
> > [Un]Subscribe/change address:
> > http://www.oasis-open.org/mlmanage/
> > Alternately, using email:
> > list-[un]subscribe@lists.oasis-open.org
> > List archives:
> > http://lists.oasis-open.org/archives/xacml-users/
> > Committee homepage:
> > http://www.oasis-open.org/committees/xacml/
> > List Guidelines:
> > http://www.oasis-open.org/maillists/guidelines.php
> > Join OASIS: http://www.oasis-open.org/join/
> >
> >
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
> 
>
---------------------------------------------------------------------
> This publicly archived list supports open discussion
on using the
> XACML OASIS Standard. To minimize spam in the
archives, you
> must subscribe before posting.
> 
> [Un]Subscribe/change address:
http://www.oasis-open.org/mlmanage/
> Alternately, using email:
list-[un]subscribe@lists.oasis-open.org
> List archives:
http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage:
http://www.oasis-open.org/committees/xacml/
> List Guidelines:
http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/
> 
> 
>
---------------------------------------------------------------------
> This publicly archived list supports open discussion
on using the
> XACML OASIS Standard. To minimize spam in the
archives, you
> must subscribe before posting.
> 
> [Un]Subscribe/change address:
http://www.oasis-open.org/mlmanage/
> Alternately, using email:
list-[un]subscribe@lists.oasis-open.org
> List archives:
http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage:
http://www.oasis-open.org/committees/xacml/
> List Guidelines:
http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]