RE: [xacml-users] Question regarding resource hierarchies

["Nick Duan" <nduan@verizon.net>]

Certainly XACML makes writing policies flexible, but it also creates a lot
of confusions in the real world with how to create effective and consistent
policies, especially when there could be multiple ways to define access
control rules for the same set of resources.  I think taking the resource
structure into consideration in policy creation is a very reasonable
approach.  Does anyone know if any work published on XACML best practices?

Thanks!

ND

-----Original Message-----
From: Erik Rissanen [mailto:erik@axiomatics.com] 
Sent: Thursday, June 09, 2011 4:05 PM
To: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Question regarding resource hierarchies

Laird,

Yes, you are right about that the core XACML specification does not say
anything about how resources operate, are set up, accessed and so on.
That is one of the strengths of XACML. It means that XACML can operate
on any type of resource in any kind of context.

You can compare this with databases and SQL. Regardless of whether you
are implementing a medical application, a financial application, or a
business for custom tailoring, you can still use the same technology and
language. For data storage it is SQL and for authorization it is XACML.

The role of setting up all this it that of the PEP, Policy Enforcement
Point, and the PIP, the Policy Information Point. These provide the
enforcement of the access and the attributes of the resource by which
the decision is made. The PEP and PIP are more environment specific than
the PDP and the XACML language itself.

In practice there are vendors who provide many of these components of
the shelf for you.

Best regards,
Erik

On 06/09/2011 09:12 PM, Laird Nelson wrote:
> This may be a bit off-topic for this list.  If so, please feel free to
> redirect me elsewhere.
>
> From my early-days understanding of the XACML specification, XACML
> specifies how PEPs and PDPs cooperate to render authorization
> decisions based on supplied resources and resource hierarchies (and
> subjects and a few other things).
>
> But none of this specification says anything, right, about setting up
> such resource hierarchies?
>
> So if, in my fictional world, I decide that I'm going to set some
> policies at the department level that should be applied to courses
> (i.e. that subjects employed by the school may edit their own
> departmental assets, of which a course is but one type), then it is
> incumbent upon me to figure out how to send along the proper resource
> to the XACML processors such that they can render a decision.
>
> I guess a final way to phrase my question is: XACML specifies the
> structure of the rules and policies involved, but says nothing about
> how the resources upon which those rules and policies operate are
> stored, set up, accessed, etc.
>
> Please do correct me if I am mistaken.
>
> Best,
> Laird


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org