Re: [xacml-users] retrieving a list or query filter of resources the caller is authorized for

[Yoichi Takayama <takayama.yoichi@gmail.com>]

You miss my point.

To get the answer you are seeking, the system must ask exactly the same question at some time as the XACML multi-questions Query does.

How are you going to program?

i.e.

To get the list of what the user can do on what resource in what environment, if it is not done inside XACML, the system has to use lists of all Actions, Resources and Environments and arrive at an answer.

Since some values can be dynamic, we cannot have such a list pre-compiled per user and have it ready-to-serve. Also, what the user can do may be different depending on which user interface the user is on at the time the question is asked. Some permissions may not be about Resources, but may be a Category that some Resources are in. Since the system does not have any knowledge about what Categories may exist (that typically will be added as a dynamic Policy), there is no way for making a system that can predict a way to be able to compile a simple list of "all permissions". Also, the Category permission may be dependant on what privilege group the user is in (this is also dynamic and may change at times). Finally, some Attributes may be dynamic, too, so even if the system gets a list, it cannot use it, if the system had no knowledge abut those Attributes (whereas dynamic Attributes are OK, if they are added to both Policies and PIP).

You can see that the XACML makes it possible to answer this question if you specify conditions (Targets) explicitly. The permissions must be asked just prior to when the Decisions are needed.

In all, asking "give me a list of all permissions for a subject" is not a simple matter in Policy-based access control.

If you do not use this Query-Response mechanism, I can't see any easier way to arrive at a Permissions list for a user. Since all are defined in the Policies, you will need a dynamic Policy reader/interpreter to trace all relevant Policies for the user, even on branches which contain Actions and Resources that may not be called at all by the user at the time of the use.

This is much more overhead for the system than asking the full list of relevant multiple questions. I think that this is true for any Policy-based general purpose rule engine.

As I said, if you can, you should avoid a system design which has to ask for "a list of permissions". Access control has long departed from the traditional paradigm of system which has some simple permission lists (often fixed).

Yoichi


On 19/04/2010, at 1:48 AM, Oleg Gryb wrote:

> Let us look at Ralf's use case  again. In essence, it looks like a very simple authz related functionality: "give me a list of all permission for a subject". It seems to me that the only solution that was suggested here was to send all 2000 resources in a PDP request each time when this decision needed. That solution looks inefficient to me.