RE: [xacml] How to implement hierarchies in our model

[Hal Lockhart <hal.lockhart@entegrity.com>]

Title: How to implement hierarchies in our model

The general problem being discussed is that many existing accesss control systems imbue certain attributes with special semantics. In contrast, X.509 and SAML, for example, consider that attributes are just name value pairs and special semantics are up to the implementation. Examples of special semantics include: clearances, nested roles and dynamic roles. I feel compelled to point out, in passing, that the the hierachy represented by clearances and the hierarchy represented by nested roles (groups) are completely different from each other.

 

Tim's message represents one of the three choices I suggested for dealing with special attribute semantics.

 

1. Express the semantics explicitly using the XACML policy model language.

 

Tim has shown that this can be done and also that it is likely to lead to complicated looking policies that would likely be repeated over and over again. Possibly this could be addressed with some kind of Macro facility. The major advantage is that there is just one policy language (contrast 3 below)

 

2. Pick some important cases and define the semantics in English as a "built-in" feature of the language.

 

This would provide a cleaner language and probably more efficient processing. However we would haave to arbitrarily pick some cases and reject others, which no doubt some people would object to. There would be no way for others to add what we had left out or create minor variations, except as in 1 above.

 

3. Define a way of specifying these special semantics.

 

This would allow others to extend XACML as they see fit. Presumably we would pick some important cases as in 2 and specify them. There would be two policy languages, but most people would not use the second one or need to understand it. The main concern in my mind is I have very little idea what this would look like.

 

There may of course be other approaches as well.

 

Hal

-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Tuesday, November 27, 2001 4:42 PM
To: 'XACML'
Subject: [xacml] How to implement hierarchies in our model

Colleagues - Below you will find some XML instances for policy and assertions, and XML schema for attribute to express a hierarchical policy in our model and candidate XACML schema.  You should not look too carefully.  I feel certain that there are better ways of representing the information.  Nevertheless, I hope you will agree that model is capable of representing policy over hierarchically-ordered attributes.  All the best.  Tim.

1. XACML policy
This XACML instance expresses the Bell-Lapadula "read down" policy.

<?xml version="1.0" encoding="UTF-8"?>
<applicablePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <policy>
                <applicability>
                        <resourceClassification>http://www.someOrganization/classifiedDocument</resourceClassification>
                        <resourceAction>read</resourceAction>
                </applicability>
                <rule>
                        <preCondition>
                                <predicate>
                                        <greaterOrEqual>
                                                <referencedData>
                                                        <roleAttribute>http://www.someOrganization/</roleAttribute>
                                                </referencedData>
                                                <secondOperand>
                                                        <referencedData>
                                                                <resourceClassification>http://www.pep.org ? type=http://www.someIdentifier.org/</resourceClassification>

                                                        </referencedData>
                                                </secondOperand>
                                        </greaterOrEqual>
                                </predicate>
                        </preCondition>
                </rule>
        </policy>
</applicablePolicy

2. Authentication assertion
This SAML authentication assertion indicates that the person whose password hashes to h5*@fo8/k is Jo Schmo.  The assertion ID is cdefg.

<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/>

<saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="cdefg" Issuer="seomOrganization" IssueInstant="13:45. 01 Nov 2001">

        <saml:AuthenticationStatement>
                <saml:Subject>
                        <saml:NameIdentifier SecurityDomain="someOrganization" Name="Jo Schmo"></saml:NameIdentifier>
                </saml:Subject>
                <saml:SubjectConfirmation>
                        <saml:ConfirmationMethod>http://www.oasis-open.org/confirmationRegistry</saml:ConfirmationMethod>

                        <SubjectConfirmationData>h5*@fo8/k</SubjectConfirmationData>
                </saml:SubjectConfirmation>
        </saml:AuthenticationStatement>
</saml:Assertion>

3. Attribute assertion
This SAML attribute assertion indicates that the individual authenticated by assertion cdefg has a TOP SECRET clearance.

<!-- A saml attribute assertion indicating that the principal who can be authenticated by saml authentication assertion "cdefgt" has a TOP SECRET clearance  -->

<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/>

<saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="bcdef" Issuer="" IssueInstant="12:00,11 Nov 2001">
        <saml:AssertionSpecifier>
                <saml:AssertionID>cdefg</saml:AssertionID>
        </saml:AssertionSpecifier>
        <saml:Attribute>
                <saml:AttributeValue>http://www.someIdentifier.org/3</saml:AttributeValue>
        </saml:Attribute>
</saml:Assertion>

4. Resource assertion
This SAML resource assertion is an assertion by the PEP that the resource for which access is requested has a SECRET label.

<!-- A saml resource attribute assertion, issued by the PEP indicating that the resource has a SECRET label -->

<?xml version="1.0" encoding="UTF-8"?>
<AttributeDesignator xmlns="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"/>

<saml:Assertion MajorVersion="0" MinorVersion="20" AssertionID="abcde" Issuer="http://www.pep.org" IssueInstant="13:00;27 Nov 2001">

        <saml:Attribute>
                <saml:AttributeValue>http://www.someIdentifier.org/2</saml:AttributeValue>
        </saml:Attribute>
</saml:Assertion>

5. Attribute schema
This schema indicates that clearance and label attributes are positive integers.

<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified">

<targetNameSpace="http;//www.someIdentifier.org"/>

        <xs:element>
                <xs:attribute name="clearance" xsi:type="xs:positiveInteger"/>
        </xs:element>

        <xs:element>
                <xs:attribute name="label" xsi:type="xs:positiveInteger"/>
        </xs:element>
</xs:schema>

-----------------------------------------
Tim Moses
Tel: 613.270.3183