OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] [model] implementing global "deny" using 0.8 and meta-policies

Implementing global "deny" semantics using schema 0.8 and meta-policies

USE CASE: policy is to deny access to Principal "Anne Anderson"
under all conditions.  The policy is distributed across many
sub-policies, which are all combined to produce the global policy
that is to be applied.

Michiharu's concern was with needing to put something like

  <not>
    <equal>
       <valueRef entity="principal">saml:Subject/NameIdentifier/Name</valueRef>
       <value>"Anne Anderson"</value>
    </equal>
  </not>

into every sub-policy if there was no global "deny" syntax.

My proposed solution depends on the idea of having meta-policies.
I think meta-policies solve multiple problems:

  1. "where do I get policies",
  2. knowing when you have obtained all the relevant policies,
  3. knowing how to combine policies
  4. being able to implement global "deny"

and meta-policies does not introduce any new syntax.  It is just
very explicit in specifying what "applicable policy" means.

SOLUTION

Each PDP (or PRP) needs to be configured with a single
policy that serves as that PDP's "meta-policy".  The syntax of
this single policy is exactly that in 0.8.

This "meta-policy" determines where and under what conditions
various sub-policies are retrieved.

I may not be using <externalFunction> correctly, or the
subpolicies may need more enclosing namespace information, but I
hope these examples will give the idea.  The final example shows
how global "deny" semantics are implemented.

EXAMPLE SIMPLE META-POLICY FOR DISTRIBUTED POLICIES:

  <?xml version="1.0" encoding="UTF-8"?>
  <applicablePolicy
   xmlns=... 
   issuer="<identity that ultimately controls policy for this PDP>"
   policyName="...">

    <!-- target omitted, since this policy applies to all targets -->
    <policy>
      <and>
        <externalFunction>http://www.site1/policy1.xml</externalFunction>
        <externalFunction>http://www.site2/policy2.xml</externalFunction>
        ...
      </and>
    </policy>
  </applicablePolicy>

What is found at each of the <externalFunction> locations is
another <applicablePolicy>, which may be more specific as to
which resources it applies to (that applicablePolicy in turn may
refer to still other policies).  If one of these
<applicablePolicy> elements does not apply to the current
request, then the result is "does not apply" and does not affect
the result of the <and> evaluation.

META-POLICY THAT USES SUB-POLICIES BASED ON RESOURCE

  <?xml version="1.0" encoding="UTF-8"?>
  <applicablePolicy
   xmlns=... 
   issuer="<identity that ultimately controls policy for this PDP>"
   policyName="...">

    <!-- target omitted, since this policy applies to all targets -->
    <policy>
      <or>
        <and>
          <equal>
            <valueRef>saml:Resource</valueRef>
            <value>"file:/host1/*"</value>
          </equal>
          <externalFunction>http://www.site1/policy1.xml</externalFunction>
        </and>
        <and>
          <equal>
            <valueRef>saml:Resource</valueRef>
            <value>"file:/host2/*"</value>
          </equal>
          <externalFunction>http://www.site2/policy2.xml</externalFunction>
        </and>
        ...
      </or>
    </policy>
  </applicablePolicy>

META-POLICY THAT IMPLEMENTS GLOBAL DENY SEMANTICS

  <?xml version="1.0" encoding="UTF-8"?>
  <applicablePolicy
   xmlns=... 
   issuer="<identity that ultimately controls policy for this PDP>"
   policyName="...">

    <!-- target omitted, since this policy applies to all targets -->
    <policy>
      <and>
        <not>
          <equal>
            <valueRef entity="principal">saml:Subject/NameIdentifier/Name</valueRef>
            <value>"Anne Anderson"</value>
          </equal>
        </not>
        <or>
          <and>
            <equal>
              <valueRef>saml:Resource</valueRef>
              <value>"file:/host1/*"</value>
            </equal>
            <externalFunction>http://www.site1/policy1.xml</externalFunction>
          </and>
          <and>
            <equal>
              <valueRef>saml:Resource</valueRef>
              <value>"file:/host2/*"</value>
            </equal>
            <externalFunction>http://www.site2/policy2.xml</externalFunction>
          </and>
          ...
        </or>
      </and>
    </policy>
  </applicablePolicy>

For administrative ease in a more realistic situation, the set of
globally denied attribute/value combinations would be placed in
one <externalFunction> policy.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC