OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: Minor XACML Spec errata and resource labels


XACML as a language and as semantics for use by a Policy Decision
Point is at a separate "layer" from the representation of various
attributes in various systems.  XACML expects each AttributeId to
correspond to some "attribute" of an object, but XACML itself
does not specify that correspondence, how the attribute is
retrieved, or from where the attribute is retrieved.

If you want to associate an attribute to be used by XACML with a
resource, and you are free to define the format of that
attribute, the most straightforward correspondence would be to
define the attribute in the form of an XACML Request Attribute
(xs:complexType name="AttributeType" defined in XACML Context).
For example, you would specify a resource label consisting of
the classification scheme "U.S. Navy Document Classification
Scheme" with value "top secret" as

  <Attribute AttributeId="U.S. Navy Document Classification Scheme"
             DataType="...#string">
     <AttributeValue>top secret</AttributeValue>
  </Attribute>

and a representation of this would be stored in some attribute
repository in association with the resource to which it applies.

Even when using this definition, however, the XACML PDP (or its
associated "Attribute Finder") must know that this is the
representation being used, how to locate the attributes
associated with a particular resource, and how to retrieve those
attributes.

I do not see how associating a PolicySet with each resource
solves your problem.  Such a PolicySet might specify the policy
for which user attributes are required to access the resource
(e.g. which "clearance level" attributes and values), but this
does not define a "resource label".  Can you give an example of
what you are thinking of doing?

Anne Anderson

On 21 April, Jeff writes: RE: Minor XACML Spec errata and resource labels
 > Yes, classification schemes/values are good. Clearly, it is
 > essential that, in such cases, classification schemes/values
 > be made part of a PolicySet (as an "Attribute" of the
 > Resource, as you suggest).
 > 
 > My understanding is that a PolicySet is a relatively stable
 > XML document that will be used by software like a PDP. My
 > point is that the resource ITSELF (the thing being protected
 > not its reference in a PolicySet) needs to carry a label.
 > 
 > Consider individual resources such as files on a hard disk:
 > there would typically be very many files each with their own
 > INDIVIDUAL classification scheme/value. Hence, for complete
 > interoperability between disparate XACML systems there needs
 > to be a standard way of describing the classification
 > scheme/value that applies to each individual file. Now, I know
 > that what's important here is the Request and that
 > classification schemes/values for individual files will be
 > carried by the Request but I'm thinking of providing a generic
 > implementation and I would like a way of labeling files that
 > follows an XACML standard.
 > 
 > I'm inclined to think that individual instances of PolicySet
 > objects could be used to label each 'resource thing' but I
 > don't think that this is the intended use for PolicySets and I
 > was wondering if you had a better suggestion or could sanction
 > such a use of PolicySets!
 >
 > -----Original Message-----
 > From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
 > Sent: Monday, April 21, 2003 11:06 AM
 > To: jeff@cogentlogic.com
 > Cc: XACML TC
 > Subject: Re: Minor XACML Spec errata and resource labels
 > ....
 > I assume, by "resource label", you mean a classification scheme
 > and a classification value, such as "U.S. Navy Classification
 > System XYZ" "top secret".  This could be expressed in XACML as an
 > "Attribute" of the Resource.  The AttributeId could be a URN
 > indicating the classification scheme, and the AttributeValue
 > could be the classification value.
 > 
 > Does this satisfy your requirements?
 > 
 > Anne Anderson
 > 
 > On 19 April, Jeff writes: Minor XACML Spec errata and resource labels
 >  > From: "Jeff" <jeff@cogentlogic.com>
 >  > To: <Anne.Anderson@sun.com>
 >  > Subject: Minor XACML Spec errata and resource labels
 >  > Date: Sat, 19 Apr 2003 17:02:54 -0400
 > ....
 >  > I don't see anything in XACML relating to resource labels
 >  > (in fact the word label doesn't appear at all in
 >  > oasis-####-xacml-1.0.pdf!). Resource labels are part of the
 >  > authorization support in the X.509 standard and are used in
 >  > several RBAC implementations. Resource labels are useful in
 >  > enabling resource characteristics (i) to be set on
 >  > resources and (ii) to form part of access control
 >  > decisions. I feel sure that you must be aware of this and
 >  > can only conclude that a PolicySet is intended to act as a
 >  > resource label (in addition to acting as a policy set!). Is
 >  > this correct?

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]