[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [model] Proposal of Post Condition
Hi, Bill
> forgetting for a moment the syntactic issues with the term 'post
> condition' itself, i have a fundamental problem with the concept of MUST
> BE COMPLETED as a result of granting access. this implies that if the
> action does not occur the access should not be granted. that makes it a
> precondition, or at the very least, an action that occurs *as part of*
> the evaluation (e.g. 'confirmation of audit entry prior to issuing
> grant').
I agree that the phrase "MUST BE COMPLETED" is misleading. The heart of the
post-condition is the notion of an annotation that should be attached to
the access
decision. How the post-condition should be processed? So let's assume
a (virtual) post-condition management component that receives a set of
post-conditions
from PDP and that manages them (execute them, queue them, fire them, etc.).
The post-condition management component here is a new component in the
current
XACML domain model and practically it may be a part of PDP or a part of
PEP.
Roughly speaking, the PDP's role should be limited to how to generate the
right access
decision with necessary post-conditions. How it is executed in the
post-condition
management component could be outside the XACML normative specification.
Suppose that PDP generates the access decision like "Alice is allowed to
read
resource X, and post-condition is the log". The post-condition is submitted
to the
post-condition management component and it instantly executes the log
operation.
Suppose another access decision like "Alice is allowed to write her
preference in the
server, and post-condition is to delete her preference in 30 days". In this
case,
the post-condition cannot be executed instantly, instead the delete
operation must be
performed 30 days after this decision is generated. Thus the write
privilege is given to her
provided the system can guarantee the delete operation in 30 days.
As two examples shows, the meaning of the post-condition and how it is
executed
depends on each application. The point is that XACML does not have to worry
about
what it means and how it is executed. XACML only has to define how the
post-condition
is syntactically represented and how it is computed in response to the
access request.
Thus, "... MUST BE COMPLETED ..." in the definition should be rephrased as
"A process specified in a rule that should be returned in conjunction with
access as
an annotation. It means that the post-condition should be executed in
conjunction
with access."
We may need the following description:
"How post-condition is executed is outside the XACML specification.
XACML describes potential configurations of PDP/PEP for supporting
post-condition as informative"
> ...which in my mind will hamper interoperability greatly.
My opinion on interoperability is "XACML processor generates the same set
of access
decisions with the post-condition in response to the set of access
requests". and
"How the post-condition is executed is outside the XACML interoperability"
> here we have the situation where a user is only supposed to be on one
> ...
I think your examples can be distinguished using different URIs of
post-conditions.
For the case of the vender A, the semantics could be represented by
<operation uri="http://www.vendorA.com/postCond/kill-other-session"/>
For the case of the vender B, the semantics could be represented by
<operation uri="http://www.vendorB.com/postCond/kill-other-session"/>
Policy writer must be careful in writing the post-condition URI because
different URI means different semantics. Again, note that the semantics of
each post condition is outside the XACML specification as I wrote above.
Does this answer your question?
>
> it seems to me from the meeting that the primary issue here was
> that SAML provided no such mechanism for response?
> ...
Section 4.5 of the proposal writes the following:
4.5 How to return post conditions via SAML
Post conditions are stored in <condition> element of SAML authorization
decision assertion. XACML provides a namespace for storing post conditions.
(It would be an unbounded sequence of <operation> element.)
Is this what you are concerned?
Best regards,
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
From: bill parducci <bill@parducci.net> on 2002/02/14 00:18
To: "XACML TC <xacml"
cc:
Subject: Re: [xacml] <xacml><model> Proposal of Post Condition
sorry to take so long to respond to this.
Michiharu Kudoh wrote:
> 1.1 Definition of post conditions
> A process specified in a rule that must be completed in conjunction with
> access.
forgetting for a moment the syntactic issues with the term 'post
condition' itself, i have a fundamental problem with the concept of MUST
BE COMPLETED as a result of granting access. this implies that if the
action does not occur the access should not be granted. that makes it a
precondition, or at the very least, an action that occurs *as part of*
the evaluation (e.g. 'confirmation of audit entry prior to issuing
grant').
otherwise we get into some very dangerous ground quickly:
> While XACML defines the processing rules of the post conditions, the
> actual meaning of each post condition differs from application. It
> also depends on the configuration of the PEP and/or PDP.
which would lead us into this:
> 4.2 Mandatory v.s. advisory post conditions XACML does not support
> any distinction between mandatory post condition and advisory post
> conditions. The meaning of the post condition is determined in each
> application. Thus, errors and exceptions of the post conditions are
> not defined in XACML.
...which in my mind will hamper interoperability greatly.
example
(gated security)
--------
request access to resource X
policy: user only log onto 1 system at a time
post-condition: kill other sessions on grant
(vendor A)
evaluate -> kill access to Y -> if ack, grant; else deny
(vendor B)
evaluate -> grant -> kill access to Y
here we have the situation where a user is only supposed to be on one
system at a time (or logged in only once, or only one user per system at
a time, as in the case of a write to a record...) and yet we are
granting access without actually enforcing this. should be a
PRE-condition, right? what's the distinction? do we list all the things
that are OK to do after because they are not 'necessary' to granting
access? i know that it is a slippery slope, but is there a finite set of
operations that we are acceptable 'post conditions'? logging seems to
really be the only actual example we have, do we do something
specifically for that?
does this make sense?
on the other hand, this makes sense to me:
> Necessary cryptographic/security operations to secure target resource:
...in that a 'grant with stipulation' has a finite evaluation. obviously
there a requirement for a concise description of stipulations needed
here--something similar to our extension for evaluation methods i would
imagine. it seems to me from the meeting that the primary issue here was
that SAML provided no such mechanism for response? is that the case?
b
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC