[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] A challenging scenario for XACML
Are the contracts already in XML, or are Contract document instances
required for other uses? If so, you could use XSLT to convert them to
XACML policies so you have explicit rules like "D can see types 1,2,4
from A", etc.
Are you coding the XML contracts from natural language documents? If
so, why not code them directly into XACML policies?
--Paul
> -----Original Message-----
> From: Ludwig Seitz [mailto:ludwig@axiomatics.com]
> Sent: Wednesday, June 24, 2009 03:00
> To: xacml-users@lists.oasis-open.org
> Subject: [xacml-users] A challenging scenario for XACML
>
> Hello all,
>
> I have an interesting scenario, for which I have not found a
> satisfying solution in XACML. I wonder whether it's due to a
> bad modelling of the available information in attributes or
> if it's a limitation of XACML's functionality. Either way I
> am glad for any comments.
>
> Caution, this is rather long!
>
> The scenario is the following:
>
> Organisations A, B, C and D share certain types of
> information {1,2,3,4,5} based on contracts.
>
> An example set of contracts for organisation D cloud look like this:
>
> <Contracts>
> <Partner name="A">
> <type>1</type>
> <type>2</type>
> <type>4</type>
> </Partner>
> <Partner name="B">
> <type>2</type>
> <type>3</type>
> <type>4</type>
> </Partner>
> <Partner name="C">
> <type>1</type>
> <type>5</type>
> </Partner
> </Contracts>
>
> meaning e.g. that A gives D access to information of types 1, 2 and 4.
>
> Now I imagined my request would look something like this (in
> XACML 3.0 syntax, since you can't put content into the
> subject in XACML 2.0):
>
> <Request>
> <Attributes Category="subject">
> <Content>
> <Contracts>
> <Partner name="A">
> <type>1</type>
> <type>2</type>
> <type>4</type>
> </Partner>
> <Partner name="B">
> <type>2</type>
> <type>3</type>
> <type>4</type>
> </Partner>
> <Partner name="C">
> <type>1</type>
> <type>5</type>
> </Partner
> </Contracts>
> </Content>
> </Attributes>
> <Attributes Category="resource">
> <Attribute AttributeId="partner">
> <AttributeValue>A</AttributeValue>
> </Attribute>
> <Attribute AttributeId="type">
> <AttributeValue>2</AttributeValue>
> </Attribute>
> </Attributes>
> </Request>
>
> meaning that a subject with the given contracts is trying to
> access information of the type 2 at organisation A.
>
>
> Now I want to write a policy that checks whether the resource
> attributes are "covered" by the contracts given for the
> subject. I haven't found a good way to do this.
>
>
> Bad (IMHO) ways to do this include:
>
> 1.) Using complicated XPath 2.0 expressions
> 2.) Extending XACML with a custom made function that does this
> 3.) Change the encoding of the contracts to attributes that look like
> this:
> <Attribute AttributeId="Contract">
> <AttributeValue>A:1</AttributeValue>
> <AttributeValue>A:2</AttributeValue>
> <AttributeValue>A:4</AttributeValue>
> <AttributeValue>B:2</AttributeValue>
> etc ...
>
> What I am aiming at is a solution that is easy to understand
> for future administrators of these policies (that's why I
> reject my solution 1.), that doesn't need custom extensions
> of XACML (reject solution 2.). The reason I dislike my
> solution 3.) is that the attributes encode two pieces of
> information (organisation and information type) in one.
>
>
> Regards,
>
> Ludwig Seitz
>
>
>
> --
> Ludwig Seitz, PhD | Axiomatics AB
> Training & Development | Electrum 223
> Phone: +46 (0)703 83 08 00 | S-164 40 Kista, Sweden
> Mail: ludwig@axiomatics.com |
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]