OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] Review of Section 8


- Change request to other sections:
  + Section B.10: Resource Attributes

The identifier indicates the scope of the request with regard to the
resource. When this attribute is specified in the request, the value MUST
be either 'Immediate', 'Children', or 'Descendant'.

- Change request to Section 8 Operational Model (normative)
  + Description change of Section 8.1 and new subsections

8.1 Policy Decision Point (PDP)
Given a valid XACML "Policy" or a "PolicySet", a compliant XACML PDP MUST
evaluate that statement in accordance to the semantics specified in Section
4,5, and 6 when applied to a specific input context. The PDP MUST return an
output context, with one value of "Permit", "Deny", "Indeterminate", or
"NotApplicable".

If a permit is returned, the PEP permit access to the requested resource.
If a denial is returned, the PEP denies access to the requested resource.
If a permit with one or more obligations is returned, the PEP permits
access provided that every obligations are fulfilled successfully. If a
denial with one or more obligations is returned, the PEP denies access but
still fulfills the obligations. In each case, when fulfilling obligations
failed, the PEP SHOULD raise an error. How the error is raised is out of
the scope of XACML. In any case, the PDP can return additional information
in the status code element in the response context. For 'Permit' decision,
it MAY specify which rules are used in decision making.

If an indeterminate is returned, it means that the PDP could not make
decision due to some reason. The PDP MAY return decision of "indeterminate"
with a status code of "urn:oasis:names:tc:xacml:1.0:missing-attribute",
signifying that more information is needed. In this case, the decision MAY
list the names of any attributes of the subject and the resource that are
needed by the PDP to refine its decision. A PEP MAY resubmit a refined
request context in response to a decision of "indeterminate" with a status
code of "missing-attribute" by adding attribute values for the attribute
names that are listed in the response. When the PDP returns an decision of
"indeterminate", with a status code of "missing-attribute", a PDP MUST NOT
list the names of any attribute of the subject or the resource of the
request for which values were already supplied in the request. Note, this
requirement forces the PDP to eventually return a decision of "permit",
"deny", or "indeterminate" with some other reason, in response to
successively-refined requests.

If not applicable is returned, it means that the PDP's policy does not
cover the request, implying that the PEP should ask another PDP.

XACML does not assume how top-level XACML policies should be configured.
For example, a top-level policy might be a 'Policy' element containing a
target element that matches every request, or it might be a 'Policy'
element containing a target element that matches only a specific subject.

8.2 Hierarchical Resource
It is often the case that a target resource is organized as a hierarchy
(e.g. file system, XML document). Some applications may require access to
an entire subtree of the resource. XACML allows the PEP (or Context
Handler) to specify whether the access is just for a single resource or for
a subtree below the specified resource. The latter is equivalent to
repeating a single request for the entire subtree. When a request context
contains a resource attribute of
'urn:oasis:names:tc:xacml:1.0:resource:scope' with a value of 'Immediate',
or does not contain that attribute in the context, then it means that the
access is just for a single resource specified by 'ResourceId' attribute.
When 'urn:oasis:names:tc:xacml:1.0:resource:scope' attribute specifies a
value of 'Children', it means that the access is for both a specified
resource and its children resources. When
'urn:oasis:names:tc:xacml:1.0:resource:scope' attribute specifies a value
of 'Descendant', it means that the access is for both a specified resource
and all the descendant resources. In the case of 'Children' and
'Descendant', the access decision may include multiple results for the
multiple resources. XACML response can contain multiple result elements. In
such case, the status element SHOULD be included only in the first result
element (the remaining result elements SHOULD NOT include the status
element). Note that the method how PDP finds out whether the resource is
hierarchically organized or not is out of the scope of the XACML.

8.3 Propagation through Data Hierarchy
When the resource is hierarchically organized, it is often the case that an
access control rule associated to a certain node propagates down to the
descendant nodes. The XACML core rule combining algorithm does not support
such propagation with regard to access control rules. Policy writers who
need propagation MUST implement their own local algorithm and specify that
algorithm ID in RuleCombiningAlgId in policy element.

Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC