Re: [xacml] Possible future XACML TC work

[Satoshi Hada <SATOSHIH@jp.ibm.com>]

Hi,

Now I'm wondering if my comments in my previous mail make no sense
if I'm not talking about different requests.

>>I assume you're talking about different requests

This time, I'm talking about different requests.

My original motivation was to evaluate a policy
for hierarchical resources efficiently.

For example, consider a policy with three rules (with the same condition)
for the root resource and two child resources,
and assume that we want to evaluate the policy for
the root resource and get the evaluation results
not only for ROOT, but also for CHILD1 and CHILD2.
(according to Section 7.8)

<Condition id="c1"> <!-- the definition of "c1" -->
  A condition description is here.
</Condition>

<Rule RuleId="r1" Effect="Permit">
  <Target>
   resource-id=ROOT and action-id=READ
  </Target>
  <Condition ref="c1"> <!-- just a reference -->
</Rule>

<Rule RuleId="r2" Effect="Permit">
  <Target>
   resource-id=CHILD1 and action-id=READ
  </Target>
  <Condition ref="c1"> <!-- just a reference -->
</Rule>

<Rule RuleId="r3" Effect="Permit">
  <Target>
   resource-id=CHILD2 and action-id=READ
  </Target>
  <Condition ref="c1"> <!-- just a reference -->
</Rule>

Then we need to evaluate this policy using three different requests,
which I think are the same except for the value of the resource-id
attribute.

The evaluation scenario with the condition cache is like this:
When the first request for ROOT is evaluated, "r1" is matched and
"c1" is evaluated.
Then the second and third requests for CHILD1 and CHILD2 are evaluted,
"r2" and "r3" are matched, and so we can reuse the evaluation result of
"c1".
(Here I'm assuming that the resource-id is not referenced in the condition
"c1".
For example, a condition on "current-date")

Does this make sense?

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com


                                                                                                                                   
                      Satoshi                                                                                                      
                      Hada/Japan/IBM@IB        To:       Seth Proctor <seth.proctor@sun.com>                                       
                      MJP                      cc:       XACML TC <xacml@lists.oasis-open.org>                                     
                                               Subject:  Re: [xacml] Possible future XACML TC work                                 
                      2003/02/14 01:33                                                                                             
                                                                                                                                   
                                                                                                                                   




>>I assume you're talking about different requests

I'm not talking about different requests.

>> the Target requirements from the two rules can always be combined

Do you mean that we can always combine two rules with different targets but
with the same effect and same condition into a single rule?

How to combine the following two rules?

<Condition id="c1"> <!-- the definition of "c1" -->
  A condition description is here.
</Condition>

<Rule RuleId="r1" Effect="Permit">
  <Target>
    subject-id="Manager" AND action-id="write"
  </Target>
  <Condition ref="c1"> <!-- just a reference -->
</Rule>

<Rule RuleId="r2" Effect="Permit">
  <Target>
    subject-id="Employee" AND action-id="read"
  </Target>
  <Condition ref="c1"> <!-- just a reference -->
</Rule>

-----------------------------------------------------

If the XACML schema allows a rule to have multiple conditions (combined by
"AND" or "OR").
We can write a policy like this.

<Condition id="c1"/>
<Condition id="c2"/>
<Condition id="c3"/>

<Rule id="r1">
  <Condition ref="c1">
  <Condition ref="c2">
</Rule>

<Rule id="r2">
  <Condition ref="c2">
  <Condition ref="c3">
</Rule>

In this case, the evaluation result of "c2" can be reused.

My point is that the condition specification in rules can be composable by
defining
conditions outside rules and referencing the defined conditions from rules.
I think such a composable feature would be useful for the cache of
condition evaluation results.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com



                      Seth Proctor

                      <seth.proctor@sun        To:       Satoshi
Hada/Japan/IBM@IBMJP
                      .com>                    cc:       Michiharu
Kudoh/Japan/IBM@IBMJP, XACML TC <xacml@lists.oasis-open.org>
                                               Subject:  Re: [xacml]
Possible future XACML TC work
                      2003/02/14 00:46







> <Condition id="c1"> <!-- the definition of "c1" -->
>   A condition description is here.
> </Condition>
> <Rule id="r1">
>   <Condition ref="c1"> <!-- just a reference -->
> </Rule>
> <Rule id="r2">
>   <Condition ref="c1"> <!-- just a reference -->
> </Rule>

Per my last email, I assume you're talking about different requests, since
this policy doesn't seem all that useful to me. If two rules have the same
condition, then why have two rules? There's no real value that I can see in
writing a policy like this unless you want different Target requirments,
but
the Target requirements from the two rules can always be combined (unless
you
want different Effects, but again I don't see why you form a Policy like
that). Maybe I just need a more concrete example...


seth






----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>