[xacml] How to implement hierarchies in our model

[Tim Moses <tim.moses@entrust.com>]

Title: How to implement hierarchies in our model

Colleagues - Below you will find some XML instances for policy and assertions, and XML schema for attribute to express a hierarchical policy in our model and candidate XACML schema.  You should not look too carefully.  I feel certain that there are better ways of representing the information.  Nevertheless, I hope you will agree that model is capable of representing policy over hierarchically-ordered attributes.  All the best.  Tim.

1. XACML policy
This XACML instance expresses the Bell-Lapadula "read down" policy.

<?xml version="1.0" encoding="UTF-8"?>
<applicablePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <policy>
                <applicability>
                        <resourceClassification>http://www.someOrganization/classifiedDocument</resourceClassification>
                        <resourceAction>read</resourceAction>
                </applicability>
                <rule>
                        <preCondition>
                                <predicate>
                                        <greaterOrEqual>
                                                <referencedData>
                                                        <roleAttribute>http://www.someOrganization/</roleAttribute>
                                                </referencedData>
                                                <secondOperand>
                                                        <referencedData>
                                                                <resourceClassification>http://www.pep.org ? type=http://www.someIdentifier.org/</resourceClassification>

                                                        </referencedData>
                                                </secondOperand>
                                        </greaterOrEqual>
                                </predicate>
                        </preCondition>
                </rule>
        </policy>
</applicablePolicy

2. Authentication assertion
This SAML authentication assertion indicates that the person whose password hashes to h5*@fo8/k is Jo Schmo.  The assertion ID is cdefg.

<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/>

<saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="cdefg" Issuer="seomOrganization" IssueInstant="13:45. 01 Nov 2001">

        <saml:AuthenticationStatement>
                <saml:Subject>
                        <saml:NameIdentifier SecurityDomain="someOrganization" Name="Jo Schmo"></saml:NameIdentifier>
                </saml:Subject>
                <saml:SubjectConfirmation>
                        <saml:ConfirmationMethod>http://www.oasis-open.org/confirmationRegistry</saml:ConfirmationMethod>

                        <SubjectConfirmationData>h5*@fo8/k</SubjectConfirmationData>
                </saml:SubjectConfirmation>
        </saml:AuthenticationStatement>
</saml:Assertion>

3. Attribute assertion
This SAML attribute assertion indicates that the individual authenticated by assertion cdefg has a TOP SECRET clearance.

<!-- A saml attribute assertion indicating that the principal who can be authenticated by saml authentication assertion "cdefgt" has a TOP SECRET clearance  -->

<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/>

<saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="bcdef" Issuer="" IssueInstant="12:00,11 Nov 2001">
        <saml:AssertionSpecifier>
                <saml:AssertionID>cdefg</saml:AssertionID>
        </saml:AssertionSpecifier>
        <saml:Attribute>
                <saml:AttributeValue>http://www.someIdentifier.org/3</saml:AttributeValue>
        </saml:Attribute>
</saml:Assertion>

4. Resource assertion
This SAML resource assertion is an assertion by the PEP that the resource for which access is requested has a SECRET label.

<!-- A saml resource attribute assertion, issued by the PEP indicating that the resource has a SECRET label -->

<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/>

<saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="abcde" Issuer="http://www.pep.org" IssueInstant="13:00;27 Nov 2001">

        <saml:Attribute>
                <saml:AttributeValue>http://www.someIdentifier.org/2</saml:AttributeValue>
        </saml:Attribute>
</saml:Assertion>

5. Attribute schema
This schema indicates that clearance and label attributes are positive integers.

<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified">

<targetNameSpace="http;//www.someIdentifier.org"/>

        <xs:element>
                <xs:attribute name="clearance" xsi:type="xs:positiveInteger"/>
        </xs:element>

        <xs:element>
                <xs:attribute name="label" xsi:type="xs:positiveInteger"/>
        </xs:element>
</xs:schema>

-----------------------------------------
Tim Moses
Tel: 613.270.3183