OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] [policy-model]: group membership flatterning

Title: [policy-model]: group membership flatterning
Colleagues - This appears to me to fall into the topic of "meta-policy".  If this is true, then we agreed in Redwood City to specify a single meta-policy, while allowing others to define other meta-policies, if they so wished.  The conclusion would be, that XACML would specify a single way of resolving the question that Simon raises, while acknowledging that this is just one of a number of possible choices.
 
Personally, I favour relying on information that appears in the request, provided it meets the assurance requirements of the PDP (e.g. signed by a competent authority), because this is more efficient than seeking duplicate information.
 
All the best.  Tim.
 

-----------------------------------------
Tim Moses
Tel: 613.270.3183

 
-----Original Message-----
From: Simon Godik [mailto:sgodik@crosslogix.com]
Sent: Sunday, October 14, 2001 11:57 PM
To: 'xacml@lists.oasis-open.org'
Subject: [xacml] [policy-model]: group membership flatterning

In our last discussion on the policy model conf call a question was raised as to how to compute
group closure in the pdp.

I assume that we are using saml protocol (or it's extension) for authorization decision queries.

There are several sources for group membership information.
1. It could be provided as evidence in the query itself.
2. pdp could query attribute authorities (1 or more) for the subject group membership.
3. pdp can maintain group hierarchy locally.

Pdp can maintain a policy on how to compute group closure for various subjects and resources.
This policy could specify combinations of 1, 2, and 3.

One policy could be that evidence from the request should be ignored,
and direct group membership should be taken from attribute authorities,
and group hierarchy should be kept in the pdp.
In this case input from 1 is ignored and 2 is used in 3 for closure computation.

Or we can take group membership from the evidence in the request only.

Allowing pdp to specify a policy for group membership computation provides for the most
flexibility.

Simon Godik
Crosslogix


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC