OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-users] Implementing UNIX file system acl using xacml


You could rewrite the business rule as: "Permit unless any value of
attribute01 is less than 2 or is equal to 3 or 4".  That goes into a
rule like:

<Rule RuleId="rule01" Effect="Permit">
  <Condition>
    <Apply FunctionId="not">
      <Apply FunctionId="or">
        <Apply FunctionId="any-of">
          <Function FunctionId="integer-less-than"/>
          <AttributeDesignator AttributeId="attribute01"/>
          <AttributeValue>2</AttributeValue>
        </Apply>
        <Apply FunctionId="any-of-any">
          <Function FunctionId="integer-equal"/>
          <AttributeDesignator AttributeId="attribute01"/>
          <Apply FunctionId="integer-bag">
            <AttributeValue>3</AttributeValue>
            <AttributeValue>4</AttributeValue>
          </Apply>
        </Apply>
      </Apply>
    </Apply>
  </Condition>
</Rule>

You could add a Target element to require at least one value equal to 2
or greater than 4, but that isn't strictly necessary.

Regards,
--Paul

On Fri, 2011-11-18 at 21:23 -0600, Tyson, Paul H wrote:
> No, I see my proposed solution will not work.  I was trying to use 'map' as 'map-reduce'.
> 
> So, testing a bag of values for such complex conditions is not possible with basic XACML.
> 
> But then it is not intended to be a general functional programming language.  It is meant to model common business rules for access control.
> 
> That said, I think the TC should consider some additional built-in functions to cover some cases such as Roberto and Marco have presented.
> 
> Regards,
> --Paul
> 
> -----Original Message-----
> From: Tyson, Paul H 
> Sent: Friday, 18 November, 2011 13:33
> To: Roberto Guanciale; xacml-users@lists.oasis-open.org
> Subject: RE: [xacml-users] Implementing UNIX file system acl using xacml
> 
> Roberto,
> 
> This particular problem has a solution in standard XACML (see attached).  It is not pretty, and probably not very general.
> 
> But to your point about adding user-defined functions to the XACML expression language: that question hasn't come before the TC since I have been a member.  As a policy author I have never run into a situation where the business rules required something that wasn't available in the existing language.  And if I did, I would probably lean toward putting such functions in the host implementation and simply calling them with a FunctionId.  This is the extension mechanism currently defined by the XACML spec.
> 
> Marco mentioned that he wanted the function logic to be visible in the XACML policy itself.  I understand the motivation for that, but the spec must draw the line somewhere between business understandability and usefulness on the one hand, and computer science power and complexity on the other.  My feeling, based on my policy writing experience, is that while the 3.0 spec has some limitations it is solidly a 95-98% solution for business access control purposes.  I would prefer to see it evolve incrementally based on demonstrated need--for example, your case would be helped with a "map-filter" function that returned a bag of values matching a given condition.  Being able to get individual values from a bag would also be a general-purpose capability that is missing from the current expression language.
> 
> Getting back to the original topic of implementing Unix file system permissions in XACML: I think that might also point to some deficiencies that could be remedied without resorting to user functions defined in the policy language.  I will post separately on that topic.
> 
> Regards,
> --Paul
> 
> -----Original Message-----
> From: Roberto Guanciale [mailto:guancio@netfarm.it]
> Sent: Friday, 18 November, 2011 11:40
> To: xacml-users@lists.oasis-open.org
> Subject: Re: [xacml-users] Implementing UNIX file system acl using xacml
> 
> Hi,
> I try to simplify our scenario in order to identify if the issues we encountered depends on our misunderstanding of XACML or on its expressiveness.
> 
> Let me suppose to check a request that has the (integer-bag) attribute for the resource context defined as follows:
> 
> <Resource>
> <Attribute AttributeId="attribute01"
> DataType="http://www.w3.org/2001/XMLSchema#integer";>
>          <AttributeValue>2</AttributeValue>
> </Attribute>
> <Attribute AttributeId="attribute01"
> DataType="http://www.w3.org/2001/XMLSchema#integer";>
>          <AttributeValue>4</AttributeValue>
> </Attribute>
> <Attribute AttributeId="attribute01"
> DataType="http://www.w3.org/2001/XMLSchema#integer";>
>          <AttributeValue>2</AttributeValue>
> </Attribute>
> <Attribute AttributeId="attribute01"
> DataType="http://www.w3.org/2001/XMLSchema#integer";>
>          <AttributeValue>5</AttributeValue>
> </Attribute>
> </Resource>
> 
> Can I express a policy requiring that all element of the bag must be 2 or greater than 4?
> Namely I want to express a condition that is true if and only if for each x in the attribute holds x == 2 or x > 4.
> 
> Exploiting higher order functions this property can be expressed in several ways, for example:
> 
> all-of(
>       boolean-equal
>       True,
>       map (
>          def f(x) {
>             return (x == 2) or (x > 4)
>          },
>          ResourceAttributeDesignator("attribute01")
>       )
> )
> 
> Our problem is that even if XACML supports higher order functions, We cannot express a function definition inside the policy XML.
> Clearly, we do not want to define an external function (e.g. using
> java) that implements the function "f", since this approach breaks that capability of configure the policy without changing the java code.
> 
> Are my considerations correct? Since XACML language is inspired by functional languages I think that a mechanism to define functions inside the policy should be a desiderata.
> 
> Roberto Guanciale
> Netfarm s.r.l.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]