[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Policy composition using XACML
Colleagues - Originally, I had thought we were to rule meta-policy out of scope. But, many of our issues appear to centre around this topic. So, here is some text that explains how the proposed language is used for composing policies in accordance with a meta-policy. All the best. Tim.
XACML may be used to express a "meta" policy. That is, it can describe how to compose a single policy from separate policies with an identical target. For example, Meta-policy X states "If the result of evaluating Policy A is "not grant", then do not grant, otherwise evaluate Policy B".
A Policy may be referenced in a meta-policy either by "name" or by the combination of its "issuer" and "target".
Meta-policy X is expressed in XACML as:
<and><policy>Policy A</policy><policy><Policy B></policy></and>
The composed policy may be formed by substituting the referenced policies into the meta-policy statement. Alternatively, they can be left as separate policies and meta-policy.
Any meta-policy can be formed using the tags defined in the XACML schema.
The schema for the "policy" element is:
<element name="policy">
<complexType>
<choice>
<policyIdentifier>
<policySource>
</choice>
</complexType>
</element>
<element name="policyIdneitifer"><xsd:anyURI></element>
<element name="policySource">
<complexType>
<sequence>
<policyIssuer>
<policyTarget>
</sequence>
</complexType>
</element>
<element name="policyIssuer"><xsd:anyURI></element>
where the URI contains the name of the issuer of the XACML instance determined from the authentication scheme used to authenticate the source of the policy. And, policyTarget is imported from XACML.
-----------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC