[xacml] Background

[Tim Moses <tim.moses@entrust.com>]

Title: Background

Text and .doc on "background".  All the best.  Tim.

1.1. Background
The modern enterprise is pervaded by information systems and devices.  Economies of scale have driven vendors to provide increasingly general-purpose solutions that must be configured to address the specific needs of each situation in which they are applied.  This leads to constantly increasing complexity and configurability.  Furthermore, the devices and systems may be distributed widely in a global enterprise.  The task of analyzing and controlling system and device configuration in a consistent manner across an entire enterprise is an enormous challenge, compounded by the fact that, even when systems and devices support configuration by a remote console, there is no common interface standard.  Consequently, it is becoming increasingly difficult for an enterprise to obtain a consolidated view of the policy in effect across its many and diverse systems and devices or to enforce a single policy that affects many of those devices and systems.

The objective of XACML is to address this need by defining a language capable of expressing policy statements for a wide variety of information systems and devices

The approach taken by XACML is to draw together long-established techniques for access-control and then to extend a platform-independent language (XML) with suitable syntax and semantics for expressing those techniques in the form of policy statements.

XACML exploits long-established techniques, such as:
· Combining independent rules to form a single policy.
· Combining independent policies, optionally from different policy-writers, to form a single policy set.
· The parameterization of the algorithm to be used for combining rules and policies.
· Attaching an indication of the set of decisions that a rule or policy is intended to render to the rule or policy.
· Defining the set of decisions that the rule or policy is intended to render in terms of the name or attributes of the subject, resource and action identified in the decision request.

· Specifying in a policy statement a set of actions that must be performed in conjunction with the rendering of a decision.

· Stating rule conditions as a logical expression of predicates of functions of attributes of the resource and/or subject.

· Providing an abstraction layer between the policy language and the environment to which it applies.
· The communication of policies, either attached to the resources they are intended to protect, or separately.
The following sections describe how to understand the rest of this specification.
1.1.1. Rule combining
Ref 5,
1.1.2. Policy combining
Ref 5, 8
1.1.3. Combining algorithm
Ref 7,
1.1.4. Decision indication

1.1.5. Names or attributes
Ref 2, 6
1.1.6. Specifying actions
Ref 1,
1.1.7. Expression of predicates
Ref 4,
1.1.8. Abstraction layer

1.1.9. Policy attachment
Ref 1, 3

1.2. References
1. Perritt;  Knowbots, Headers & Contract Law; 1993.
2. Orange book
3. Trusted Network Interpretation
4. X.500 filter
5. J Moffett and M Sloman. Policy hierarchies for distributed system management.  IEEE Journal on Selected areas in communications, pages 1404-1414, December 1993.  Special Issue on network management.

6. R Sandhu, E Coyne, H Feinstein and C Youman.  Role-based access control models.  IEEE Computer, 9(2); 38-47, 1996.
7. S Jajodia, P Samarati, V S Subrahmanian and E Bertino.  A unified framework for enforcing multiple access control policies.  Proceedings of ACM SIGMOD, 1997

8. N Minsky, V Ungureanu. Unified support for heterogeneous distributed systems.  7th USENIX security symposium, San Antonio, Texas, January, 1998..

-----------------------------------------
Tim Moses
Tel: 613.270.3183

 

Attachment: Background.doc
Description: MS-Word document