[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] We resolve ...
Pierangela asks the question ...
"Now for instance, suppose you want to enforce a situation in which any of
us can grant authorizations and, possibly denials, for some access and
a denial-take-precedence policy should be enforced (meaning it sufficient
that one of us says "deny (because of a negative authorization), and the
access should be rejected. How do you enforce this? You cannot have the
different administrators operate on the applicable policy (meaning
actually have writing privilege on that document)."
This is how ...
Each policy administrator writes an applicable policy like this ...
<and>
<!-- other stuff goes here -->
<not>
<equal>
<valueRef attributeName="saml/nameIdentifier/name"/>
<value>BadGuy</value>
</equal>
</not>
</and>
Using the individual applicable policies, the PRP constructs a combined applicable policy that looks like this ...
<and>
<!-- other stuff goes here -->
<not>
<or>
<equal>
<valueRef attributeName="saml/nameIdentifier/name"/>
<value>BadGuy</value>
</equal>
<equal>
<valueRef attributeName="saml/nameIdentifier/name"/>
<value>OtherBadGuy</value>
</equal>
</or>
</not>
</and>
All the best. Tim.
-----------------------------------------
Tim Moses
Tel: 613.270.3183
-----Original Message-----
From: Pierangela Samarati [mailto:samarati@pinky.crema.unimi.it]
Sent: Monday, January 21, 2002 2:54 PM
To: Carlisle Adams
Cc: 'XACML'
Subject: RE: [xacml] We resolve ...
Hi
> Should Hal and I interpret the silence to mean that everyone is ready
> to vote in favour of Tim's proposals?
i agree with the fact that the current proposal is able to implement the
global deny scenario. no doubt about that: if you restrictions (i.e., the
deny you want to enforce) ANDED with the other possible policies nobody
will be able to overrule your restrictions.
the reason why i am not too excited with the current proposal is that it
seems perfectly fine for communicating policies, but it seems complex to
manage.
first of all you have to make sure that the applicable policy is in a
single place (sure possibly using URL of other policies) but you cannot
allow overlapping targets (which seemed to be the case till now, i
believe).
second the priority of your rules is explicitely managed with the policy
definition, which may make adminitration heavy. Who is in charge of
specifying the applicable policy? This will be the only one able to
specify global deny: if understand Tim/Anne's proposals correctly
possible negative authorizations in other policies have the effect only
within that policy (this is fine with me, it seems conceptually clean).
Now for instance, suppose you want to enforce a situation in which any of
us can grant authorizations and, possibly denials, for some access and
a denial-take-precedence policy should be enforced (meaning it sufficient
that one of us says "deny (because of a negative authorization), and the
access should be rejected. How do you enforce this? You cannot have the
different administrators operate on the applicable policy (meaning
actually have writing privilege on that document).
I am not sure i will be in for the concall (if i can i will stay for the
beginning). I have already talked to Ernesto will participate. The plan
should be go over the issue to see champions and prepare for the F2F. If
time allows discuss Anne/Tim's proposals and maybe postconditions, which
were never discussed in details.
best
-p
P.S., Simon have you circulated the alternative approach we talked about
in the last concall?
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC