[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Chronicle Attribute
Dear List in our recent research with Grid coordinated access control decision making, we used obligations to update a coordination database to record details of a users actions. The coordination database performs the same function as the retained ADI in ISO 10181-3. In this way we can implement applications such as ATM machine cash withdrawals over a distributed network using multiple stateless PDPs (such as the XACML PPD), and ensure that a user does not withdraw more than X amount per day from whichever machine he goes to. We have presented two papers about this, at Policy 2006 and MGC 2006. David W Chadwick, Linying Su, Oleksandr Otenko, Romain Laborde. “Coordination between Distributed PDPs”. Proc of 7th IEEE International Workshop on Policies for Distributed Systems and Networks, London, Ontario, 5-7June 2006 pp163-172. David W Chadwick, Linying Su, Romaine Laborde. “Providing Secure Coordinated Access to Grid Services”. Proceedings of 4th International Workshop on Middleware for Grid Computing - MGC 2006, In conjunction with ACM/IFIP/USENIX 7th International Middleware Conference 2006, Melbourne, Australia - November 27, 2006 The net result is that we need a new attribute adding to the obligation element in XACML. The purpose of this attribute is a directive to the PEP to tell it WHEN to carry out the obligation: either Before, With, or After enforcing the user's access request. In most grid applications With is not appropriate since grid jobs can run for hours or days. So Before or After are often the most appropriate for grids (e.g when to send an email notification? before the job starts or after it finishes). We have implemented a Before option in GT4 with a coordination PDP that talks to an XACML PDP (more details of this in the MGC paper). Here is the new schema for obligation that we propose > xs:element name="Obligation" type="xacml:ObligationType"/> > <xs:complexType name="ObligationType"> > <xs:sequence> > <xs:element ref="xacml:AttributeAssignment" minOccurs=”0” > maxOccurs="unbounded"/> > </xs:sequence> > <xs:attribute name="ObligationId" type="xs:anyURI" use="required"/> > <xs:attribute name="FulfillOn" type="xacml:EffectType" use="required"/> > <xs:attribute name="Chronicle" type="xacml:ChronicleType" use="optional"/> > </xs:complexType> The Chronicle simple type is defined as: > > <xs:simpleType name="ChronicleType"> > <xs:restriction base="xs:string"> > <xs:enumeration value="Before"/> > <xs:enumeration value="With"/> > <xs:enumeration value="After"/> > </xs:restriction> > </xs:simpleType> regards David -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]