[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] [model] implementing global "deny" using 0.8 and meta-policies
Colleagues - For the record, I support Anne's proposal. I think we might consider some minor schema changes to better accommodate the described approach. But, in principle, I am in favour. Can we hear from anyone who feels that this approach is inadequate? Naturally, a well-reasoned explanation of its deficiencies would be most helpful. Thanks a lot. All the best. Tim.
-----------------------------------------
Tim Moses
Tel: 613.270.3183
-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
Sent: Thursday, January 17, 2002 3:46 PM
To: xacml@lists.oasis-open.org
Subject: [xacml] [model] implementing global "deny" using 0.8 and
meta-policies
Implementing global "deny" semantics using schema 0.8 and meta-policies
USE CASE: policy is to deny access to Principal "Anne Anderson"
under all conditions. The policy is distributed across many
sub-policies, which are all combined to produce the global policy
that is to be applied.
Michiharu's concern was with needing to put something like
<not>
<equal>
<valueRef entity="principal">saml:Subject/NameIdentifier/Name</valueRef>
<value>"Anne Anderson"</value>
</equal>
</not>
into every sub-policy if there was no global "deny" syntax.
My proposed solution depends on the idea of having meta-policies.
I think meta-policies solve multiple problems:
1. "where do I get policies",
2. knowing when you have obtained all the relevant policies,
3. knowing how to combine policies
4. being able to implement global "deny"
and meta-policies does not introduce any new syntax. It is just
very explicit in specifying what "applicable policy" means.
SOLUTION
Each PDP (or PRP) needs to be configured with a single
policy that serves as that PDP's "meta-policy". The syntax of
this single policy is exactly that in 0.8.
This "meta-policy" determines where and under what conditions
various sub-policies are retrieved.
I may not be using <externalFunction> correctly, or the
subpolicies may need more enclosing namespace information, but I
hope these examples will give the idea. The final example shows
how global "deny" semantics are implemented.
EXAMPLE SIMPLE META-POLICY FOR DISTRIBUTED POLICIES:
<?xml version="1.0" encoding="UTF-8"?>
<applicablePolicy
xmlns=...
issuer="<identity that ultimately controls policy for this PDP>"
policyName="...">
<!-- target omitted, since this policy applies to all targets -->
<policy>
<and>
<externalFunction>http://www.site1/policy1.xml</externalFunction>
<externalFunction>http://www.site2/policy2.xml</externalFunction>
...
</and>
</policy>
</applicablePolicy>
What is found at each of the <externalFunction> locations is
another <applicablePolicy>, which may be more specific as to
which resources it applies to (that applicablePolicy in turn may
refer to still other policies). If one of these
<applicablePolicy> elements does not apply to the current
request, then the result is "does not apply" and does not affect
the result of the <and> evaluation.
META-POLICY THAT USES SUB-POLICIES BASED ON RESOURCE
<?xml version="1.0" encoding="UTF-8"?>
<applicablePolicy
xmlns=...
issuer="<identity that ultimately controls policy for this PDP>"
policyName="...">
<!-- target omitted, since this policy applies to all targets -->
<policy>
<or>
<and>
<equal>
<valueRef>saml:Resource</valueRef>
<value>"file:/host1/*"</value>
</equal>
<externalFunction>http://www.site1/policy1.xml</externalFunction>
</and>
<and>
<equal>
<valueRef>saml:Resource</valueRef>
<value>"file:/host2/*"</value>
</equal>
<externalFunction>http://www.site2/policy2.xml</externalFunction>
</and>
...
</or>
</policy>
</applicablePolicy>
META-POLICY THAT IMPLEMENTS GLOBAL DENY SEMANTICS
<?xml version="1.0" encoding="UTF-8"?>
<applicablePolicy
xmlns=...
issuer="<identity that ultimately controls policy for this PDP>"
policyName="...">
<!-- target omitted, since this policy applies to all targets -->
<policy>
<and>
<not>
<equal>
<valueRef entity="principal">saml:Subject/NameIdentifier/Name</valueRef>
<value>"Anne Anderson"</value>
</equal>
</not>
<or>
<and>
<equal>
<valueRef>saml:Resource</valueRef>
<value>"file:/host1/*"</value>
</equal>
<externalFunction>http://www.site1/policy1.xml</externalFunction>
</and>
<and>
<equal>
<valueRef>saml:Resource</valueRef>
<value>"file:/host2/*"</value>
</equal>
<externalFunction>http://www.site2/policy2.xml</externalFunction>
</and>
...
</or>
</and>
</policy>
</applicablePolicy>
For administrative ease in a more realistic situation, the set of
globally denied attribute/value combinations would be placed in
one <externalFunction> policy.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC